Hi, i have in my company two ActiveDirectories. as i have an application which has only the possiblity to query one LDAP-server for authentication i thought about a metadirectory as described here: http://ltb-project.org/wiki/documentation/general/sasl_delegation and here https://www.memolinux.info/doku.php?id=unix:ldap:openldapads&s=meta#backend/meta
so i started with openldap 2.4.31 from debian 7.4. my starting configuration looks like below: what i was missing from the docu, i need a schema, where sAMAccountName, proxyAddresses and so on is defined. so i created the msad.schema as described here: http://serverfault.com/questions/151688/configuring-openldap-as-a-active-directory-proxy now i don't get an error when i startup slapd. but when i do an search to the metadirectory for example: "ldapsearch -x -D cn=manager,dc=meta -b dc=meta uid=testuser", i see in the wireshark -the bindreques -the searchrequest within DC=D6200,DC=comp,DC=com -but the search criteria looks like this: (!(objectclass=*)) not (objectclass=*) which finds nothing. and gives me 0 results. also i found: http://www.openldap.org/lists/openldap-technical/201206/msg00168.html But what here unclear, what schema definitions do i need with this? could someone point me to my error, as i am nearly blind for comparing. Thomas slapd.conf ========== # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/msad.schema pidfile /var/run/slapd/slapd.pid loglevel 99 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_ldap moduleload back_meta moduleload rwm access to * by * read # Database database meta suffix "dc=meta" rootdn "cn=Manager,dc=meta" rootpw secret # LDAP 1 uri "ldap://192.168.0.2:3268/ou=vzp,dc=meta"; lastmod off suffixmassage "ou=vzp,dc=meta" "DC=D6200,DC=comp,DC=com" idassert-bind bindmethod=simple binddn="CN=Meta,CN=Users,DC=D6200,DC=comp,DC=com" credentials="secret" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=Manager,dc=meta" overlay rwm rwm-map objectclass account user rwm-map attribute mail proxyAddresses rwm-map attribute uid sAMAccountName rwm-map attribute cn name rwm-map attribute * # LDAP 2 uri ldap:// 192.168.13.2 :3268/ou=azp,dc=meta lastmod off suffixmassage "ou=azp,dc=meta" "DC=d5820,DC=muc,DC=com" idassert-bind bindmethod=simple binddn="CN=Meta,CN=Users,DC=d5820,DC=muc,DC=com" credentials="secret" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=Manager,dc=meta" overlay rwm rwm-map objectclass account user rwm-map attribute mail proxyAddresses rwm-map attribute uid sAMAccountName rwm-map attribute cn name rwm-map attribute *
