I'm trying to proxy an AD and an OpenLDAP server on a
separate machine to get a 'combined' view.
First problem (or the primary one?) is that the DN doesn't
match.
AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld
OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld
We have absolutely no write/modify access to the AD (we
barely got search/compare access to parts of the AD!
And the OL server... There's way to much work to modify
(as in massaging the DB and reload it) that (at the moment).
It's also running 2.3 at the moment, and we don't want to
upgrade that any time soon.
The theory is/was to:
1. Setup a LDAP/META proxy to the AD to act as the
'local' DB.
2. Rewrite the AD DNs to match the OL DB
3. Cache some common queries
4. Glue the OL DB with the AD DB, the OL acting as
the 'remote' DB.
Unfortunately, I can't get step four to work. Any queries
seem to loop to the localhost.
I guess I could use rwm on the OL server to massage the
DN (before it's presented to clients and the proxy), but
I much rather do any rewrite etc on my new proxy server
if possible.
OR
Setup a second OL server on the current OL server, but
on a different port (hidden), which proxies the main
OL and rewrites the DN to match the AD. This hidden server
could then be proxied by the new LDAP proxy, cached etc...
But either of the alternative solution isn't pretty :).
I'll have to maintain and support THREE LDAP servers
(one DB and two proxies), which seems a little to much
work.
And besides, the OL have all the UNIX (posixAccount etc)
stuff (only), with very few users (most of the organization
don't need UNIX accounts) and most of the clients is configured
to use that when searching etc. There's also other reasons
why we would like to keep the OL server layout...
Parts of my slapd.conf:
#######################################################################
database ldap
suffix "dc=company,dc=tld"
rootdn "cn=Manager,dc=company,dc=tld"
rootpw "secret"
#
---------------------------------------------------------------------
##### Active Directory Server (will act as LOCAL DB)
uri ldap://ad.company.tld
idassert-bind bindmethod=simple
binddn
="cn=unixldap,ou=service,ou=users,ou=selud,dc=rd,dc=company,dc=tld"
credentials="Secret1"
mode=none
idassert-authzFrom "*"
#
---------------------------------------------------------------------
#### Rewrite/Remap
#
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5941#followup7
overlay rwm
rwm-rewriteEngine yes
rwm-normalize-mapped-attrs yes
rwm-map attribute uid sAMAccountName
rwm-map attribute gecos displayName
rwm-map attribute workPhone telephoneNumber
rwm-map attribute address1 streetAddress
rwm-map attribute city l
rwm-map attribute state st
rwm-map attribute zip postalCode
rwm-map attribute country co
rwm-map attribute c country
rwm-map attribute distinguishedName entryDN
rwm-map objectclass inetOrgPerson user
rwm-map objectclass groupOfNames group
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "cn=(.*)?ou=Office,ou=Users,ou=ORG1,dc=ORG2,(.*)"
"uid=$1ou=People,dc=ORG3,$2" ":@"
rwm-rewriteContext searchAttrDN alias searchEntryDN
rwm-rewriteContext matchedDN alias searchEntryDN
#
---------------------------------------------------------------------
#### Proxy Cache
overlay pcache
pcache hdb 2500 3 1 300
pcacheAttrset 0 uid uidNumber gidNumber cn sn givenName
distinguishedName
pcacheAttrset 1 c physicalDeliveryOfficeName streetAddress mail
pcacheAttrset 2 uid uidNumber gidNumber cn sn givenName
distinguishedName c physicalDeliveryOfficeName streetAddress mail
pcacheTemplate (uid=) 0 3600
pcacheTemplate (cn=) 0 3600
pcacheTemplate (|(uid=)(cn=)) 0 3600
pcacheTemplate (|(cn=)(uid=)) 0 3600
pcacheTemplate (objectClass=) 2 3600
pcacheTemplate (|(objectClass=)(cn=)) 2 3600
pcacheTemplate (gecos=) 1 3600
pcacheTemplate (&(sn=)(givenName=)) 1 3600
cachesize 20
directory /usr/local/turbo/var/openldap-data
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
#
---------------------------------------------------------------------
#### Translucent Proxy
overlay translucent
translucent_strict yes
#translucent_local
uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail
#translucent_remote
uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail
### OpenLDAP Server (will act as REMOTE DB)
uri "ldap://ol.company.tld/";
network-timeout 3
chase-referrals no
acl-bind binddn="cn=Manager,dc=company,dc=tld" credentials="secret"
idassert-bind bindmethod=simple
binddn="cn=Manager,dc=company,dc=tld"
credentials="Secret2"
mode=none
idassert-authzFrom "*"
#######################################################################
Disclaimer: Much of this haven't been optimized yet. I'll
fine tune and tweak stuff once I could get it to work...
--
Life sucks and then you die