[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy
On 8/6/07, Pierangelo Masarati wrote:
> DePriest, Jason R. wrote:
> > I am a complete newbie with OpenLDAP. I have worked with Windows NT
> > Domains and Active Directory for a long time. I've also worked with
> > Microsoft ADAM and CA's eTrust Admin Directory.
> >
> > However, I am having trouble getting OpenLDAP to perform what I think
> > are basic functions.
> >
> > I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
> >
> > slapd reports a version of 2.3.30.
>
> slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd
> recommend to updated to the latest (2.3.37 right now).
>
I was able to get slapd 2.3.35 from Debian's testing tree. The
unstable tree has the same version.
If I need to go higher, I can just compile it myself.
> >
> > I have slapd running and I am able to authenticate with the local admin account.
> >
> > What I want is for it to take requests for domain.com, ask the real
> > domain.com LDAP server (Active Directory) to handle it, then provide
> > the answer to the client.
> >
> > I want to have an OpenLDAP server in my DMZ proxy connections to my
> > internal network without actually storing any account information
> > locally (except for the local admin).
> >
> > I think this is the relevant configuration information (comments removed):
> > include /etc/ldap/schema/core.schema
> > include /etc/ldap/schema/cosine.schema
> > include /etc/ldap/schema/nis.schema
> > include /etc/ldap/schema/inetorgperson.schema
> > pidfile /var/run/slapd/slapd.pid
> > argsfile /var/run/slapd/slapd.args
> > loglevel 0
> > modulepath /usr/lib/ldap
> > moduleload back_bdb
> > moduleload back_ldap
>
> moduleload rwm
Done. I thought I had tried this, but apparently not. Unless
something changed between 2.3.30 and 2.3.35
>
> > sizelimit 500
> > tool-threads 1
> > backend bdb
> > checkpoint 512 30
> > database ldap
> > lastmod off
>
> ^^^ not needed
deleted this line
>
> > uri "ldap://server.domain.com"
> > map attribute uid sAMAccountName
> > map attribute cn name
> > map attribute mail userPrincipalName
> > map objectclass account user
> > map attribute *
> > idassert-bind bindmethod=simple
> > binddn="cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com"
> > credentials="<password>"
> > method=self
> > chase-referrals yes
>
> ^^^ this might give undesired effects; only activate if strictly
> required, and after careful testing.
Commented this line out.
>
> > database bdb
> > suffix "dc=domain,dc=com"
> > rootdn "cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com"
> > directory "/var/lib/ldap"
> > dbconfig set_cachesize 0 2097152 0
> > dbconfig set_lk_max_objects 1500
> > dbconfig set_lk_max_locks 1500
> > dbconfig set_lk_max_lockers 1500
> > index objectClass eq
> > lastmod on
> > access to attrs=userPassword,shadowLastChange
> > by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write
> > by anonymous auth
> > by self write
> > by * none
> > access to dn.base="" by * read
> > access to *
> > by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write
> > by * read
> >
[ cut out my errors from first post ]
>
> p.
>
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ---------------------------------------
> Office: +39 02 23998309
> Mobile: +39 333 4963172
> Email: pierangelo.masarati@sys-net.it
> ---------------------------------------
>
>
>
slapd runs with no critical errors. I can connect and bind with with
the local admin account.
I cannot seem to get it to reach out to the other LDAP server. It
just searches itself and gives up when it cannot find what it is
looking for.
There are no errors, it just finds 0 matches.
I don't have rootDSE set anywhere. Do I need that for this to work?
-Jason