Hi,
(Apologies if anybody has already received this, I sent the message before subscribing to the list and later discovered that it may not be relayed if I wasn't a subscriber.)
I am trying to configure OpenLDAP such that it acts as a subordinate to an Active Directory server to allow applications to seamlessly authenticate users against both directories via the OpenLDAP server (some users will be in OpenLDAP, some in AD). The directory suffixes are set up as follows, for example:
Active Directory dc=xyz, dc=com OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)
I have successfully configured OpenLDAP such that a query with a base "dc=xyz, dc=com" will return results from both directories.
I now want to add a rewrite rule to entries from the AD directory such that Microsoft object classes (user and group) are transformed into inetOrgPerson and groupOfNames respectively. Also, I'd like the SAMAccountName attribute to be mapped to an attribute named uid. I followed the example of using the rwm overlay here:
http://www.openldap.org/lists/openldap-software/200510/msg00256.html
I was then able to perform a query on the uid attribute against the AD directory, the entry was returned rewritten as an inetOrgPerson as I had expected.
However, I am no longer able to perform a query on the uid attribute against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz, dc=com") as, AFAIK, the rewrite rule is removing it from the query, results or both.
Is it possible to only apply such rewrite rules to entries within the AD directory, and leave entries stored in the OpenLDAP subordinate directory untouched, or is there a better way to approach this problem?
Andrew
Andrew Kay wrote:
Hi,
(Apologies if anybody has already received this, I sent the message before subscribing to the list and later discovered that it may not be relayed if I wasn't a subscriber.)
I am trying to configure OpenLDAP such that it acts as a subordinate to an Active Directory server to allow applications to seamlessly authenticate users against both directories via the OpenLDAP server (some users will be in OpenLDAP, some in AD). The directory suffixes are set up as follows, for example:
Active Directory dc=xyz, dc=com OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)I have successfully configured OpenLDAP such that a query with a base "dc=xyz, dc=com" will return results from both directories.
I now want to add a rewrite rule to entries from the AD directory such that Microsoft object classes (user and group) are transformed into inetOrgPerson and groupOfNames respectively. Also, I'd like the SAMAccountName attribute to be mapped to an attribute named uid. I followed the example of using the rwm overlay here:
http://www.openldap.org/lists/openldap-software/200510/msg00256.htmlI was then able to perform a query on the uid attribute against the AD directory, the entry was returned rewritten as an inetOrgPerson as I had expected.
However, I am no longer able to perform a query on the uid attribute against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz, dc=com") as, AFAIK, the rewrite rule is removing it from the query, results or both.
Is it possible to only apply such rewrite rules to entries within the AD directory, and leave entries stored in the OpenLDAP subordinate directory untouched, or is there a better way to approach this problem?
You need to configure the rwm overlay so that it only applies to the main DB. You do this by explicitly configuring the position of the glue overlay, putting it above the rwm overlay:
database ldap suffix dc=xyz,dc=com ... overlay rwm ... overlay glue
Howard,
Thanks for your reply. My apologies for not replying sooner but I've been away from a computer.
Could you please advise as to where I should insert the overlay directives in the following configuration file? My understanding was that because the OpenLDAP administered portion of the directory (ou=Exranet, ou=XYZ, dc=xyz, dc=com) would have to be specified first and use the subordinate directive. I'm running version 2.3.30.
database bdb suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" subordinate rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq
database ldap suffix "ou=XYZ, dc=xyz, dc=com" uri "ldap://dc1"
acl-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret"
idassert-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" mode=none authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
overlay rwm rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute member member rwm-map attribute *
<quote who="Andrew Kay">
Hi,
(Apologies if anybody has already received this, I sent the message before subscribing to the list and later discovered that it may not be relayed if I wasn't a subscriber.)
I am trying to configure OpenLDAP such that it acts as a subordinate to an Active Directory server to allow applications to seamlessly authenticate users against both directories via the OpenLDAP server (some users will be in OpenLDAP, some in AD). The directory suffixes are set up as follows, for example:
Active Directory dc=xyz, dc=com OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)I have successfully configured OpenLDAP such that a query with a base "dc=xyz, dc=com" will return results from both directories.
I now want to add a rewrite rule to entries from the AD directory such that Microsoft object classes (user and group) are transformed into inetOrgPerson and groupOfNames respectively. Also, I'd like the SAMAccountName attribute to be mapped to an attribute named uid. I followed the example of using the rwm overlay here:
http://www.openldap.org/lists/openldap-software/200510/msg00256.htmlI was then able to perform a query on the uid attribute against the AD directory, the entry was returned rewritten as an inetOrgPerson as I had expected.
However, I am no longer able to perform a query on the uid attribute against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz, dc=com") as, AFAIK, the rewrite rule is removing it from the query, results or both.
Have you analysed your logs to see what's actually happening?
What does your current config look like?
Is it possible to only apply such rewrite rules to entries within the AD directory, and leave entries stored in the OpenLDAP subordinate directory untouched, or is there a better way to approach this problem?
Andrew
openldap-software@openldap.org
-
Andrew Kay -
Gavin Henry -
Howard Chu