[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP as a proxy/rewrite/remap to AD for nss_ldap
- To: openldap-technical@openldap.org
- Subject: OpenLDAP as a proxy/rewrite/remap to AD for nss_ldap
- From: Mikolaj Kucharski <mikolaj@kucharski.name>
- Date: Wed, 9 Dec 2009 03:01:58 +0000
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:subject :message-id:reply-to:mail-followup-to:mime-version:content-type :content-disposition:user-agent; bh=xfSSz75c+N8XXUrURaePJ5is0pduxMtbq1rrOdRv/B4=; b=plKH7FHZLrSJOSZx3ztmODDYAeMdpyH/Y97GhdXGAS1EJQa8m6VreLGBoeMq2y0X+f IiD3eEDV0d+2z4KEhWrN7NG65RzBBuwwlDeVpASSeht4Prfn430SP0Aaj3uhlhoP8/wJ oSoKJZOOCFNRQhGWAHmuSWqsO1q8UwDZsEQL0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:reply-to:mail-followup-to :mime-version:content-type:content-disposition:user-agent; b=tj2D9aBzmr3AzSqcXkKCmxhHyuE2cl2AuW0T8tSQ2OAu9LsvDos1F5bgk2J7rngPWG 6mLuv7hQ90SaAFCtDiE+GpuppKjxhGi4Zu1asxI/vfjMCtQgfeSU7znmbZwsLjz1ef7q o+Dy9WRkzi867dE1BkXwPDhh4YSVEjUUKD7pE=
- Mail-followup-to: Mikolaj Kucharski <mikolaj@kucharski.name>, openldap-technical@openldap.org
- User-agent: Mutt/1.5.20 (2009-06-14)
Hi,
I have Active Directory server, OpenLDAP server and a client machine.
AD is based on Windows Server 2003, OpenLDAP is 2.3.43-3.el5 running on
CentOS 5 i386, client machine is as well CentOS 5.
Does OpenLDAP server in any version, allows me to rewrite/remap/merge
results from:
- Active Directory
- internal LDAP database (or any database)
to make them suitable to nss_ldap?
AD doesn't have all attributes which are needed by nss_ldap, so I
thought to keep internal LDAP database with missing information
(uidNumber, loginShell, etc) and merge, rewrite, remap or meta this
information, and then give that result to the nss_ldap.
I understand that it is possible to merge with slapd-meta different DIT
from different databased as a single DIT, but what I need here is to
merge attributes from one db, with second db (Active Directory), then
rewrite that, and finaly return result to the querying client.
What I mean is, is it possible to rewrite/remap results from AD which
look like that:
# (sAMAccountName=kucharskim)
dn: CN=kucharskim,CN=Users,DC=euops,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: kucharskim
distinguishedName: CN=kucharskim,CN=Users,DC=euops,DC=lan
instanceType: 4
whenCreated: 20091117183353.0Z
whenChanged: 20091117183353.0Z
uSNCreated: 15484
uSNChanged: 15488
name: Mikolaj Kucharski
objectGUID:: PLah511UiUKib3pt8HCJ+g==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129041574477164624
lastLogoff: 0
lastLogon: 129046275442578437
pwdLastSet: 129029564332783194
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA1MNb9pJhAvyslWmgfAcAAA==
accountExpires: 9223372036854775807
logonCount: 9
sAMAccountName: kucharskim
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=euops,DC=lan
memberOf: CN=testgroup,CN=ActiveDirectoryGroups,DC=euops,DC=lan
with pieces missing from another ldap db, to something like that:
# (uid=kucharskim)
dn: uid=kucharskim,ou=People,dc=ldapdomain,dc=lan
uid: kucharskim
cn: Mikolaj Kucharski
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12561
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10207
gidNumber: 10207
homeDirectory: /home/kucharskim
gecos: Mikolaj Kucharski
# (memberUid=kucharskim)
dn: cn=testgroup,ou=Groups,dc=ldapdomain,dc=lan
objectClass: posixGroup
objectClass: top
cn: testgroup
gidNumber: 50201
memberUid: kucharskim
memberUid: ldapuser1
memberUid: ldapuser2
I see that this is something overly complicated, but I wanted to know is
that possible. If it is, could someone give me which version of OpenLDAP
supports it and where I can read how to implement that. Thank you.
--
best regards
q#