[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP as a proxy for Active Directory (missing attributes)
- To: openldap-technical@openldap.org
- Subject: OpenLDAP as a proxy for Active Directory (missing attributes)
- From: Marius Flage <marius@flage.org>
- Date: Fri, 20 Aug 2010 14:24:52 +0200
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; nb-NO; rv:1.9.1.11) Gecko/20100711 Lightning/1.0b1 Thunderbird/3.0.6
I've been banging my head against the wall with this project for the
last months and still haven't found a decent solution for my problem.
I'm trying to set up OpenLDAP to act as a proxy for Active Directory.
OpenLDAP should be the internet-facing interface for all external
queries for the AD catalog. I've gotten the connection set up and I'm
able to retrieve and search for most important values. However, when I
try to get out the group membership of the different objects, I've
encountered some problems.
When doing a search directly towards Active Directory I can see the
memberOf attributes for the objects [1], but when I perform the very
same search through the proxy, those attributes have been
ignored/stripped away from the result [2].
I've tried including schemas for Active Directory found on the internet
(like http://www.grotan.com/ldap/microsoft.schema), but if I try to
include this in OpenLDAP I get lots and lots of errors and I have to
start commenting out different attributes and objecttypes to get
OpenLDAP to start. Example of errors are stuff like:
/etc/ldap/schema/microsoft2.schema: line 30 objectclass: AttributeType
not found: "remoteSource"
And then I comment out the objectclass and retry. And this basically
goes on and on forever.
I've also tried just including the attribute I'm looking for, namely
memberOf, like so:
attributetype ( 1.2.840.113556.1.2.102
NAME 'memberOf'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.12'
NO-USER-MODIFICATION )
And then I get the following error when I try to start slapd:
/etc/ldap/schema/activedirectory.schema: line 60 attributetype:
AttributeType inappropriate USAGE: "memberOf"
/etc/ldap/slapd.conf: line 15: <include> handler exited with 1!
So my question is basically; how can I get the memberOf attribute
included in my searches through OpenLDAP? Do I need to include the
schema or am I approaching this from the wrong angle? What needs to be
done to set up OpenLDAP as a complete transparent proxy towards Active
Directory - basically having it behave as it was the AD itself answering
whenever you query the proxy?
I'd be very grateful for whatever question or feedback I can get, since
this has been bothering me for a very long time now.
I've also included my slapd.conf file [3] and the schema [4] I've tried
including.
- Marius
[1] http://pastebin.com/E6GVViGE
[2] http://pastebin.com/W28KPSky
[3] http://pastebin.com/T5Wd4JEB
[4] http://pastebin.com/8AGtnj2Q