On 8/6/07, Pierangelo Masarati wrote:
DePriest, Jason R. wrote:
I am a complete newbie with OpenLDAP. I have worked with Windows NT Domains and Active Directory for a long time. I've also worked with Microsoft ADAM and CA's eTrust Admin Directory.
However, I am having trouble getting OpenLDAP to perform what I think are basic functions.
I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
slapd reports a version of 2.3.30.
slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd recommend to updated to the latest (2.3.37 right now).
I was able to get slapd 2.3.35 from Debian's testing tree. The unstable tree has the same version. If I need to go higher, I can just compile it myself.
I have slapd running and I am able to authenticate with the local admin account.
What I want is for it to take requests for domain.com, ask the real domain.com LDAP server (Active Directory) to handle it, then provide the answer to the client.
I want to have an OpenLDAP server in my DMZ proxy connections to my internal network without actually storing any account information locally (except for the local admin).
I think this is the relevant configuration information (comments removed): include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap
moduleload rwm
Done. I thought I had tried this, but apparently not. Unless something changed between 2.3.30 and 2.3.35
sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database ldap lastmod off
^^^ not needed
deleted this line
uri "ldap://server.domain.com" map attribute uid sAMAccountName map attribute cn name map attribute mail userPrincipalName map objectclass account user map attribute * idassert-bind bindmethod=simple binddn="cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" credentials="<password>" method=self chase-referrals yes
^^^ this might give undesired effects; only activate if strictly required, and after careful testing.
Commented this line out.
database bdb suffix "dc=domain,dc=com" rootdn "cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write by * read
[ cut out my errors from first post ]
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
slapd runs with no critical errors. I can connect and bind with with the local admin account.
I cannot seem to get it to reach out to the other LDAP server. It just searches itself and gives up when it cannot find what it is looking for.
There are no errors, it just finds 0 matches.
I don't have rootDSE set anywhere. Do I need that for this to work?
-Jason