<quote who="Andrew Kay"> > Hi, > > (Apologies if anybody has already received this, I sent the message > before subscribing to the list and later discovered that it may not be > relayed if I wasn't a subscriber.) > > I am trying to configure OpenLDAP such that it acts as a subordinate > to an Active Directory server to allow applications to seamlessly > authenticate users against both directories via the OpenLDAP server > (some users will be in OpenLDAP, some in AD). The directory suffixes > are set up as follows, for example: > > Active Directory dc=xyz, dc=com > OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate) > > I have successfully configured OpenLDAP such that a query with a base > "dc=xyz, dc=com" will return results from both directories. > > I now want to add a rewrite rule to entries from the AD directory such > that Microsoft object classes (user and group) are transformed into > inetOrgPerson and groupOfNames respectively. Also, I'd like the > SAMAccountName attribute to be mapped to an attribute named uid. I > followed the example of using the rwm overlay here: > > http://www.openldap.org/lists/openldap-software/200510/msg00256.html > > I was then able to perform a query on the uid attribute against the AD > directory, the entry was returned rewritten as an inetOrgPerson as I > had expected. > > However, I am no longer able to perform a query on the uid attribute > against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz, > dc=com") as, AFAIK, the rewrite rule is removing it from the query, > results or both.
Have you analysed your logs to see what's actually happening? What does your current config look like? > > Is it possible to only apply such rewrite rules to entries within the > AD directory, and leave entries stored in the OpenLDAP subordinate > directory untouched, or is there a better way to approach this > problem? > > > Andrew >
