>From: [email protected] >[mailto:[email protected]] On Behalf Of Chris O'Kelly >Sent: Tuesday, 3 April 2012 2:46 PM >To: [email protected] >Subject: AD proxy in OpenLDAP > >Hi guys, > >Posted a while back but didn't get far, just trying again to see if I can get >this working. We have AD on our DC server, working fine, and a list of >external clients in OpenLDAP, also working fine. We have a new web service >that needs to authenticate against only one DSA, so I need to have the >OpenLDAP DSA proxy to AD. The initial setup in OpenLDAP is - > >dn: cn=module,cn=config >objectClass: olcModuleList >cn: module >olcModulepath: /usr/lib/ldap >olcModuleload: back_hdb >olcModuleload: back_ldap > >dn: olcDatabase=hdb,cn=config >objectClass: olcDatabaseConfig >objectClass: olcHdbConfig >olcDatabase: {1}hdb >olcSuffix: dc=companyname,dc=local >olcDbDirectory: /var/lib/ldap >olcRootDN: cn=admin,dc=companyname,dc=local >olcRootPW: secret >olcDbConfig: set_cachesize 0 2097152 0 >olcDbConfig: set_lk_max_objects 1500 >olcDbConfig: set_lk_max_locks 1500 >olcDbConfig: set_lk_max_lockers 1500 >olcDbIndex: objectClass eq >olcLastMod: TRUE >olcDbCheckpoint: 512 30 >olcAccess: to attrs=userPassword by dn="cn=admin,dc=companyname,dc=local" >write by anonymous auth by self write by * none >olcAccess: to attrs=shadowLastChange by self write by * read >olcAccess: to dn.base="" by * read >olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read > >the ldap backend I have added with ldapadd is - > >olcDatabase: ldap >olcSuffix: dc=internal,dc=companyname,dc=local >olcDbDirectory: /var/lib/ldap >uri: ldap://companyname.local >acl-bind: bindmethod=simple binddn="CN=proxy,OU=Service >Accounts,OU=Users,OU=MyBusiness,DC=companyname,DC=local" credentials=secret.
I was advised that acl-bind is not used for binding to the AD server, so do to a search on dc=internal,dc=companyname,dc=local you would have to bind with a valid AD account What do you get when you do a ldapsearch -d ="CN=proxy,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=companyname,DC=local" -w secret -b " dc=internal,dc=companyname,dc=local " -h ldap://companyname.local > >When I attempt to search on dc=companyname,dc=local I get results. When I >attempt to search AD directly from the server running OpenLDAP I get results. >However if I search dc=internal,dc=companyname,dc=local pointed at OpenLDAP I >get No Such Object (32). > >I believe this could be related to one of two things, however I have been >unable to find the fix (I have read the slapd, slapd-ldap, slapd-relay, >slapd-pbind manpages, as well as numerous tutorials). I believe it is either >that I am missing the schema files for AD or that I am incorrect in putting >the LDAP backend in a seperate dc (internal). On AD the base suffix is also >just dc=companyname, dc=local, I put the LDAP backend in this suffix as the >rest of the directory is already in dc=companyname,dc=local in OpenLDAP and I >wished for it to be separate, I don't know if this has caused the issue. As >for the scema files, I used Apache directory studio to export the cn=schema >branch from AD into an LDIF file and attempted to add it using ldapadd, the >result was >adding new entry "CN=Schema,CN=Configuration,DC=companyname,DC=local" >ldap_add: Undefined attribute type (17) > additional info: instanceType: attribute type undefined\ I haven't as yet exported the schema, but when I bind to openldap with a AD dn it works fine for me, for bind and search on the attributes I want. > >I have been trying to figure out this issue for weeks and I am at my wits end. >I am seriously at the point of contemplating trying to find someone I can pay >to show me the fix. > >
