Hi,
I am attempting to configure OpenLDAP such that it acts as a subordinate to a Microsoft Active Directory server, and presents a unified directory tree to any applications. The directory tree I am aiming for is as follows:
ou=XYZ, dc=xyz, dc=com Microsoft Active Directory ou=Extranet, ou=XYZ, dc=xyz, dc=com OpenLDAP bdb database (subordinate)
I was previously having problems with the rewrite rules required to ensure that user and group objects within AD were transformed into inetOrgPerson and groupOfName objects that are being stored in the "ou=Extranet, ou=XYZ, dc=xyz, dc=com", thanks to Howard Chu's response I have altered my configuration file and the rewriting now only occurs to the directory entries stored within the AD portion.
The database section of my configuration file is now as follows:
database bdb suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq
database ldap suffix "ou=XYZ, dc=xyz, dc=com" uri "ldap://dc1"
acl-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret"
idassert-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" mode=none authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
overlay rwm
rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute member member rwm-map attribute *
overlay glue
glue-sub "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
With the above configuration, while the rewrite only occurs to directory entries stored within the AD portion, the functionality I expected from the glue overlay no longer appears.
If I perform a search with a base "ou=XYZ, dc=xyz, dc=com" entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory are not retrieved, unless I explicility set the search base to that portion. Obviously in order to unify the two databases I would wish entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory to be included along with entries from the AD portion when the search base is "ou=XYZ, dc=xyz, dc=com".
I am running OpenLDAP version 2.3.30.
I'd greatly appreciate any help I could get in achieving the correct glue configuration.
Andrew
Below is an example showing how unless the search base is explicitly set to the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory, the entries are not retrieved:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1 extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Extranet, ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL #
# John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson cn: John Smith sn: Smith uid: john.smith userPassword:: am9obi5zbWl0aA==
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 extranet:~#
Andrew Kay wrote:
Hi,
I am attempting to configure OpenLDAP such that it acts as a subordinate to a Microsoft Active Directory server, and presents a unified directory tree to any applications. The directory tree I am aiming for is as follows:
ou=XYZ, dc=xyz, dc=com Microsoft Active Directory ou=Extranet, ou=XYZ, dc=xyz, dc=com OpenLDAP bdb database
(subordinate)
I was previously having problems with the rewrite rules required to ensure that user and group objects within AD were transformed into inetOrgPerson and groupOfName objects that are being stored in the "ou=Extranet, ou=XYZ, dc=xyz, dc=com", thanks to Howard Chu's response I have altered my configuration file and the rewriting now only occurs to the directory entries stored within the AD portion.
The database section of my configuration file is now as follows:
database bdb suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq database ldap suffix "ou=XYZ, dc=xyz, dc=com" uri "ldap://dc1" acl-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" idassert-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" mode=none authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com" overlay rwm rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute member member rwm-map attribute * overlay glue glue-sub "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
With the above configuration, while the rewrite only occurs to directory entries stored within the AD portion, the functionality I expected from the glue overlay no longer appears.
If I perform a search with a base "ou=XYZ, dc=xyz, dc=com" entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory are not retrieved, unless I explicility set the search base to that portion. Obviously in order to unify the two databases I would wish entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory to be included along with entries from the AD portion when the search base is "ou=XYZ, dc=xyz, dc=com".
I am running OpenLDAP version 2.3.30.
I'd greatly appreciate any help I could get in achieving the correct glue configuration.
"glue-sub" is not a valid config keyword. You still have to use the "subordinate" keyword. It appears that you haven't read slapd.conf(5).
Howard,
My appologies, I was looking at the man pages online and hadn't realised they may not be the same as 2.3.30.
After reading the documentation regarding the subordinate directive I have updated my configuration file as follows, this is pretty much as it was when I encountered the first problem except for the explicit glue overlay reference added to the second, superior, database (ldap backend). My configuration file is now as follows:
database bdb suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" subordinate rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq
database ldap suffix "ou=XYZ, dc=xyz, dc=com" uri "ldap://dc1"
acl-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret"
idassert-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" mode=none authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
overlay rwm rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute member member rwm-map attribute *
overlay glue
As previously, the two databases are glued together correctly, and entries from both are retrieved when the base is set to "ou=XYZ, dc=xyz, dc=com" however it appears that entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory (bdb database) are being rewritten. I had hoped that the explicit reference to the glue overlay would mean that the rewriting would only occur to entries retrieved from the remote LDAP directory, in this case a Microsoft Active Directory server.
Is the problem that the rewrite rule is associated with the superior database meaning that it also applies to subordinate databases, in this case I only want it to apply to the superior database not the unified directory as a result of the glueing?
Thanks for your help so far, appologies for not reading the correct documentation.
Andrew
Here's an example query that shows how an entry from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" subordinate database is getting rewritten:
extranet:/var/log# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(cn=Andrew Kay)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (cn=Andrew Kay) # requesting: ALL #
# Andrew Kay, Users, XYZ, xyz.com dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Kay cn: Andrew Kay uid: Andrew mail: andrew.kay@xyz.com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 extranet:/var/log# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (cn=John Smith) # requesting: ALL #
# John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson sn: Smith
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 extranet:/var/log#
In the above case the cn and uid attributes of the inetOrgPerson within "ou=Extranet..." are being removed by the mapping.
Andrew Kay wrote:
Howard,
My appologies, I was looking at the man pages online and hadn't realised they may not be the same as 2.3.30.
After reading the documentation regarding the subordinate directive I have updated my configuration file as follows, this is pretty much as it was when I encountered the first problem except for the explicit glue overlay reference added to the second, superior, database (ldap backend). My configuration file is now as follows:
Sorry, I think I just sent you on a wild goose chase. Your placement of the glue overlay here is actually unnecessary; what you've specified is already its default/implicit position.
You're being bitten by the bug in ITS#4615, which was only half-fixed before. The rest of the fix is now in CVS HEAD. We can probably push it out for 2.3.31.
As previously, the two databases are glued together correctly, and entries from both are retrieved when the base is set to "ou=XYZ, dc=xyz, dc=com" however it appears that entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory (bdb database) are being rewritten. I had hoped that the explicit reference to the glue overlay would mean that the rewriting would only occur to entries retrieved from the remote LDAP directory, in this case a Microsoft Active Directory server.
Is the problem that the rewrite rule is associated with the superior database meaning that it also applies to subordinate databases, in this case I only want it to apply to the superior database not the unified directory as a result of the glueing?
Thanks for your help so far, appologies for not reading the correct documentation.
Howard,
Thanks for your response, as a result of checked out the head tag within CVS, compiled and tested with the same configuration as before.
The glue overlay and rewrite rule now appear to be functioning correctly when entries retrieved from the directories are rewritten, the inetOrgPerson entries within the OpenLDAP portion of the unified directory remain inetOrgPerson entries with all their attributes (previously attributes referenced by the rewrite overlay were being removed) and all user entries within the Active Directory portion are rewritten correctly as inetOrgPerson entries. There does appear to be a problem with searching the directory using an attribute that is being rewritten.
I have to directories being glued together,
ou=XYZ, dc=xyz, dc=com Microsoft Active Directory (ldap backend) ou=Extranet, ou=XYZ, dc=xyz, dc=com OpenLDAP bdb (subordinate)
If I retrieve an entry from each directory using the cn attribute and the base set to "ou=XYZ, dc=xyz, dc=com", I get the two directory entries correctly rewritten (in the Active Directory case) and correctly left alone (in the OpenLDAP case):
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(cn=Andrew Kay)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (cn=Andrew Kay) # requesting: ALL #
# Andrew Kay, Users, XYZ, xyz.com dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Kay cn: Andrew Kay uid: Andrew mail: andrew.kay@xyz.com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (cn=John Smith) # requesting: ALL #
# John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson cn: John Smith sn: Smith uid: john.smith userPassword:: am9obi5zbWl0aA==
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
In practice I want to use the uid attribute to retrieve the directory entry:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=Andrew)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=Andrew) # requesting: ALL #
# Andrew Kay, Users, XYZ, xyz.com dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Kay cn: Andrew Kay uid: Andrew mail: andrew.kay@xyz.com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
The query works perfectly against the Active Directory portion of the unified directory, but doesn't return the user from the OpenLDAP portion of the directory. If a rerun the last query but set the base explicitly to the OpenLDAP portion of the directory:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Extranet, ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL #
# John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson cn: John Smith sn: Smith uid: john.smith userPassword:: am9obi5zbWl0aA==
# search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
I get the user, but unfortunately can't get the user if the base is set to the unified directory base.
It seems to work correctly if I am dealing with:
- an attribute that is the same in both directories (cn for example) - an attribute that is rewritten (uid works against the Active Directory portion, although it must be rewritten as SAMAccountName when performing the underlying query) - when I explicitly set the base to the OpenLDAP directory portion and then perform a query referring to an entry within it
I hope I have explained the problem I'm having in sufficient depth, I can send you the results of running slapd in "trace, args, filter, parse" debug mode if you wish.
Thanks again for your help so far.
Andrew
Andrew Kay wrote:
Howard,
Thanks for your response, as a result of checked out the head tag within CVS, compiled and tested with the same configuration as before.
By the way, the fix for ITS#4615 is now in 2.3.31.
The query works perfectly against the Active Directory portion of the unified directory, but doesn't return the user from the OpenLDAP portion of the directory. If a rerun the last query but set the base explicitly to the OpenLDAP portion of the directory:
It sounds like you've now run into ITS#4638, a bug in the rwm overlay. It maps the filter for searching in the first database, but doesn't restore the original value before proceeding to the next database, so it's using the wrong filter there. I usually don't touch the rwm code since Ando mainly works on it, but can take a look later.
I get the user, but unfortunately can't get the user if the base is set to the unified directory base.
It seems to work correctly if I am dealing with:
- an attribute that is the same in both directories (cn for example) - an attribute that is rewritten (uid works against the Active
Directory portion, although it must be rewritten as SAMAccountName when performing the underlying query) - when I explicitly set the base to the OpenLDAP directory portion and then perform a query referring to an entry within it
I hope I have explained the problem I'm having in sufficient depth, I can send you the results of running slapd in "trace, args, filter, parse" debug mode if you wish.
Thanks again for your help so far.
Andrew
Howard Chu wrote:
It sounds like you've now run into ITS#4638, a bug in the rwm overlay. It maps the filter for searching in the first database, but doesn't restore the original value before proceeding to the next database, so it's using the wrong filter there. I usually don't touch the rwm code since Ando mainly works on it, but can take a look later.
I'm not going to fix it in the very short term; however I will, at some point (could be right after Xmas or so).
If you really need to implement exactly that, you could, at the expense of an extra layer, using back-meta instead of glue. In that case, rwm capabilities are still hard-wired in back-meta. Beware that back-meta in 2.3 may suffer from some limitations I'm fixing right now in HEAD (not committed yet, though). As soon as that's over, I'll port everything to 2.3 (it's safe, we already do in custom code derived from 2.3); it's going to be a matter of days (it __HAS__ to be ;).
Cheers, p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Pierangelo Masarati wrote:
Howard Chu wrote:
It sounds like you've now run into ITS#4638, a bug in the rwm overlay. It maps the filter for searching in the first database, but doesn't restore the original value before proceeding to the next database, so it's using the wrong filter there. I usually don't touch the rwm code since Ando mainly works on it, but can take a look later.
I'm not going to fix it in the very short term; however I will, at some point (could be right after Xmas or so).
I've patched this in HEAD. This should resolve ITS#4638 and #4689. Please test it and report back...
Howard Chu wrote:
I've patched this in HEAD. This should resolve ITS#4638 and #4689. Please test it and report back...
One way to test this would be to rework test039 and test047 to use separate instances of slapo-rwm for each database, instead of a global one. Those tests share some data with test035 and test036, dedicated to back-meta. If not present yet, all tests could be modified to include relevant schema mapping. Right now, for sure they make extensive use of DN rewriting.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Howard,
On 12/17/06, Howard Chu hyc@symas.com wrote:
I've patched this in HEAD. This should resolve ITS#4638 and #4689. Please test it and report back...
I hope I'm not jumping the gun here, and I imagine your above comment was directed at Pierangelo but I checked out the HEAD tag, compiled and tested with the previous configuration file.
Still the directory entries in the subordinate (OpenLDAP bdb database) directory are not included when performing a query on an attribute that is rewritten and the search base is the entire directory. Again, as before if I explicitly set the base to the subordinate directory the directory entry is returned as expected.
I imagine the changes in question are 1.121 and 1.122 of:
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/backglue.c?hideattic=...
I tried both 1.121 and 1.122 revisions.
Again, I apologise if I have jumped the gun again and thanks for you help so far.
Andrew
Andrew Kay wrote:
Howard,
On 12/17/06, Howard Chu hyc@symas.com wrote:
I've patched this in HEAD. This should resolve ITS#4638 and #4689. Please test it and report back...
I hope I'm not jumping the gun here, and I imagine your above comment was directed at Pierangelo but I checked out the HEAD tag, compiled and tested with the previous configuration file.
You checked out the entire tree, or just a few specific files?
Still the directory entries in the subordinate (OpenLDAP bdb database) directory are not included when performing a query on an attribute that is rewritten and the search base is the entire directory. Again, as before if I explicitly set the base to the subordinate directory the directory entry is returned as expected.
I imagine the changes in question are 1.121 and 1.122 of:
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/backglue.c?hideattic=1&sortbydate=0
I tried both 1.121 and 1.122 revisions.
Again, I apologise if I have jumped the gun again and thanks for you help so far.
That's only part of the fix; you also need an updated overlays/rwm.c file (1.78).
No, you're not jumping the gun. The current HEAD code works for me in all of the existing test scenarios as well as some similar to what you described.
Howard,
I should have mentioned that first I just checked out HEAD, then I also tried rolling back to 1.121 of backglue.c, the changes to rwm.c were included in both builds.
I have just checked out HEAD and recompiled again, and still seem to have the problem that when querying on any attribute that is being mapped and the query is against the base of the unified directory the directory entries from the OpenLDAP subordinate bdb database aren't included. This also appears to be the case with the object class of a directory entry, that is I am mapping user objects from Active Directory into inetOrgPerson objects and I also have inetOrgPerson objects within the OpenLDAP subordinate database, if I perform a query against the base of the unified directory "(objectClass=inetOrgPerson)" the entries from the OpenLDAP subordinate database are excluded and only the rewritten entries from Active Directory are retrieved, if I change the base the OpenLDAP subordinate database all works correctly (although obviously this isn't how I wish to use the system).
Would any of the debug logs from slapd be of any use to you?
Andrew
openldap-software@openldap.org