On Fri, 2005-10-14 at 21:23 +0200, Jan Schmidt wrote: > Hi list, > > I managed to setup OpenLDAP (2.2.23 on SuSE 9.3) as read-only proxy to our > Active Directory using > the ldap/meta backend. Now I've found two annoying drawbacks. > > (1) One strange behaviour is, that a ldapsearch on the proxy returns only a > subset of the available > attributes of the object. Same ldapsearch to the Active Directory returns > the full set.
You need to define the attributes you want to see into slapd's schema. Or, if you use a recent 2.3 (>=2.3.7), the so-called "proxied" attributes (undefined attributes after they get first returned by a search thru a proxy backend) will show up with minimal syntax checks. > > (2) Active Directory allows [EMAIL PROTECTED] as bindDN. While slapd is > configured > to be a proxy it doesn't > send the bindDN to the AD but parses it. This results in an error message: > <= ldap_bv2dn([EMAIL PROTECTED])=-4 Decoding error > bind: invalid dn ([EMAIL PROTECTED]) > I tried to do the rewrite stuff mentioned in slapd-meta.5 but it doesn't work. That cannot work because rewriting occurs __after__ the frontend validated the incoming data. > > Can somebody give me some hints or has anyone got a fully functional > AD-proxy configuration? Provided AD supports the proxyAuthz control (draft-weltman-ldapv3-proxy; I'm not 100% sure), and provided you use 2.3.11 with a fix I just committed to back-ldap (servers/slapd/back-ldap/bind.c 1.129 -> 1.130), you can obtain what you need by using SASL bind plus idassert; you need to setup SASL so that authentication is propagated to the AD; you should ask some SASL expert what's the most appropriate means to obtain that. Then you need to configure the proxy slapd.conf as: database ldap suffix "dc=domain" uri "ldap://ad.domain"; idassert-bind bindmethod=simple binddn="cn=admin,dc=domain" credentials="secret" method=self p. SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
