<quote who="Andrew Kay">
Hi,
(Apologies if anybody has already received this, I sent the message before subscribing to the list and later discovered that it may not be relayed if I wasn't a subscriber.)
I am trying to configure OpenLDAP such that it acts as a subordinate to an Active Directory server to allow applications to seamlessly authenticate users against both directories via the OpenLDAP server (some users will be in OpenLDAP, some in AD). The directory suffixes are set up as follows, for example:
Active Directory dc=xyz, dc=com OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)I have successfully configured OpenLDAP such that a query with a base "dc=xyz, dc=com" will return results from both directories.
I now want to add a rewrite rule to entries from the AD directory such that Microsoft object classes (user and group) are transformed into inetOrgPerson and groupOfNames respectively. Also, I'd like the SAMAccountName attribute to be mapped to an attribute named uid. I followed the example of using the rwm overlay here:
http://www.openldap.org/lists/openldap-software/200510/msg00256.htmlI was then able to perform a query on the uid attribute against the AD directory, the entry was returned rewritten as an inetOrgPerson as I had expected.
However, I am no longer able to perform a query on the uid attribute against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz, dc=com") as, AFAIK, the rewrite rule is removing it from the query, results or both.
Have you analysed your logs to see what's actually happening?
What does your current config look like?
Is it possible to only apply such rewrite rules to entries within the AD directory, and leave entries stored in the OpenLDAP subordinate directory untouched, or is there a better way to approach this problem?
Andrew