The following is the config we are using in order to provide a read-only anonymous bind to our backend ADS directory. In order for the rwm-mapping stuff to work without issues you must apply the changes Pierangelo made. Namely, update the following files from HEAD:
servers/slapd/overlays/rwm.c servers/slapd/overlays/rwm.h servers/slapd/overlays/rwmmap.c servers/slapd/back-meta/map.c ------------- Begin config --------------- defaultsearchbase "dc=mydomain,dc=com" ####################################################################### # Database definitions ####################################################################### database ldap uri "ldap://ads.mydomain.com/"; lastmod off chase-referrals no suffix "dc=mydomain,dc=com" acl-bind bindmethod=simple binddn="cn=aclbrowser,ou=users,dc=mydomain,dc=com" credentials="MyPassword" authzID="aclbrowser" idassert-bind bindmethod=simple binddn="cn=attrbrowser,ou=users,dc=mydomain,dc=com" credentials="MyPassword" mode=none # This controls what attribs can be accessed by the LDAP proxy. # The last rwm-map line maps all other attributes to nothing. overlay rwm rwm-map objectclass account user rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute company company rwm-map attribute entry entry rwm-map attribute * access to dn.subtree="dc=mydomain,dc=com" by * read -------------- End config ---------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Grober Sent: Friday, October 14, 2005 4:08 PM To: [email protected] Subject: Re: OpenLDAP as proxy for Active Directory Could you detail the steps you took to set up the proxy. we are trying to accomplish the same kind of thing and I am knocking myself silly trying to make this happen..... does the proxy require the admin dn/password? On Fri, 14 Oct 2005 21:23:57 +0200, Jan Schmidt wrote > Hi list, > > I managed to setup OpenLDAP (2.2.23 on SuSE 9.3) as read-only proxy > to our Active Directory using the ldap/meta backend. Now I've found > two annoying drawbacks. > > (1) One strange behaviour is, that a ldapsearch on the proxy returns > only a subset of the available attributes of the object. Same > ldapsearch to the Active Directory returns the full set. > > (2) Active Directory allows [EMAIL PROTECTED] as bindDN. While slapd is > configured to be a proxy it doesn't send the bindDN to the AD but > parses it. This results in an error message: <= > ldap_bv2dn([EMAIL PROTECTED])=-4 Decoding error bind: invalid dn > ([EMAIL PROTECTED]) I tried to do the rewrite stuff mentioned in slapd- > meta.5 but it doesn't work. > > Can somebody give me some hints or has anyone got a fully functional > AD-proxy configuration? > > Best regards, > Jan Schmidt > > --------------------------------------------------------------- > AG Anwendungen/Multimedia Rechenzentrum Universität Greifswald > http://www.multimedia.uni-greifswald.de/ > Tel: +49 3834 861416 Fax: +49 3834 8680016
