[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP as a proxy for Active Directory (missing attributes)



I've been banging my head against the wall with this project for the
last months and still haven't found a decent solution for my problem.

I'm trying to set up OpenLDAP to act as a proxy for Active Directory.
OpenLDAP should be the internet-facing interface for all external
queries for the AD catalog. I've gotten the connection set up and I'm
able to retrieve and search for most important values. However, when I
try to get out the group membership of the different objects, I've
encountered some problems.

When doing a search directly towards Active Directory I can see the
memberOf attributes for the objects [1], but when I perform the very
same search through the proxy, those attributes have been
ignored/stripped away from the result [2].

I've tried including schemas for Active Directory found on the internet
(like http://www.grotan.com/ldap/microsoft.schema), but if I try to
include this in OpenLDAP I get lots and lots of errors and I have to
start commenting out different attributes and objecttypes to get
OpenLDAP to start. Example of errors are stuff like:

/etc/ldap/schema/microsoft2.schema: line 30 objectclass: AttributeType
not found: "remoteSource"

And then I comment out the objectclass and retry. And this basically
goes on and on forever.

I've also tried just including the attribute I'm looking for, namely
memberOf, like so:

attributetype ( 1.2.840.113556.1.2.102
        NAME 'memberOf'
        SYNTAX '1.3.6.1.4.1.1466.115.121.1.12'
        NO-USER-MODIFICATION )

And then I get the following error when I try to start slapd:

/etc/ldap/schema/activedirectory.schema: line 60 attributetype:
AttributeType inappropriate USAGE: "memberOf"
/etc/ldap/slapd.conf: line 15: <include> handler exited with 1!

So my question is basically; how can I get the memberOf attribute
included in my searches through OpenLDAP? Do I need to include the
schema or am I approaching this from the wrong angle? What needs to be
done to set up OpenLDAP as a complete transparent proxy towards Active
Directory - basically having it behave as it was the AD itself answering
whenever you query the proxy?

I'd be very grateful for whatever question or feedback I can get, since
this has been bothering me for a very long time now.

I've also included my slapd.conf file [3] and the schema [4] I've tried
including.

- Marius

[1] http://pastebin.com/E6GVViGE
[2] http://pastebin.com/W28KPSky
[3] http://pastebin.com/T5Wd4JEB
[4] http://pastebin.com/8AGtnj2Q