<quote who="Andrew Kay">
Gavin,
Thanks for your reply. Apologies for the delay in replying, I've been away from a computer for the past two days.
Did you see Howards reply?
"You need to configure the rwm overlay so that it only applies to the main DB. You do this by explicitly configuring the position of the glue overlay, putting it above the rwm overlay:
database ldap suffix dc=xyz,dc=com ... overlay rwm ... overlay glue "
The database portion of my configuration file is currently:
database bdb suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" subordinate rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq
database ldap suffix "ou=XYZ, dc=xyz, dc=com" uri "ldap://dc1"
acl-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret"
idassert-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" mode=none authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
overlay rwm rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute member member rwm-map attribute *
If I run a query against a user from the AD portion of the directory:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=Users, ou=XYZ, dc=xyz, dc=com" "(cn=Andrew Kay)" ...
# Andrew Kay, Users, XYZ, xyz.com dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Kay cn: Andrew Kay uid: Andrew mail: andrew.kay@xyz.com
... extranet:~#
The AD user is successfully mapped to an inetOrgPerson, if I run a query against a user from the OpenLDAP portion of the directory where the user is already an inetOrgPerson:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)" ...
# John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson sn: Smith
... extranet:~#
The result is missing the uid field. If it comment out all rwm directives in the configuration and perform the same query (after restarting OpenLDAP), I get the following:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)" ...
# John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson cn: John Smith sn: Smith uid: john.smith userPassword:: am9obi5zbWl0aA==
... extranet:~#
If I query the AD portion of the directory I recieve the unaltered user, with AD schema attributes such as SAMAccountName.
Andrew