Hi,
I am attempting to configure OpenLDAP such that it acts as a subordinate to a Microsoft Active Directory server, and presents a unified directory tree to any applications. The directory tree I am aiming for is as follows:
ou=XYZ, dc=xyz, dc=com Microsoft Active Directory ou=Extranet, ou=XYZ, dc=xyz, dc=com OpenLDAP bdb database (subordinate)
I was previously having problems with the rewrite rules required to ensure that user and group objects within AD were transformed into inetOrgPerson and groupOfName objects that are being stored in the "ou=Extranet, ou=XYZ, dc=xyz, dc=com", thanks to Howard Chu's response I have altered my configuration file and the rewriting now only occurs to the directory entries stored within the AD portion.
The database section of my configuration file is now as follows:
database bdb suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq
database ldap suffix "ou=XYZ, dc=xyz, dc=com" uri "ldap://dc1"
acl-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret"
idassert-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" mode=none authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
overlay rwm
rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute member member rwm-map attribute *
overlay glue
glue-sub "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
With the above configuration, while the rewrite only occurs to directory entries stored within the AD portion, the functionality I expected from the glue overlay no longer appears.
If I perform a search with a base "ou=XYZ, dc=xyz, dc=com" entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory are not retrieved, unless I explicility set the search base to that portion. Obviously in order to unify the two databases I would wish entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory to be included along with entries from the AD portion when the search base is "ou=XYZ, dc=xyz, dc=com".
I am running OpenLDAP version 2.3.30.
I'd greatly appreciate any help I could get in achieving the correct glue configuration.
Andrew
Below is an example showing how unless the search base is explicitly set to the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory, the entries are not retrieved:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1 extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Extranet, ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL #
# John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson cn: John Smith sn: Smith uid: john.smith userPassword:: am9obi5zbWl0aA==
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 extranet:~#