We are trying to create a LDAP proxy to hide two distinct AD servers
behind a "single LDAP view". The goal is to authentify and authorize
extranet and internal users using a single LDAP server, as LDAP clients
(eg Apache) should only talk to a single LDAP server, and not be aware
about the multiple AD servers behind the proxy.
Our understanding is that we can create a meta database with two
back-ends, using distinct uri/suffix/etc.
- using an AD user to talk to the proxy, which then is re-used by the
proxy to talk to the back-end
What does not work:
- one "front-end", simple-bind LDAP-user used to access the LDAP-proxy,
and only known to the proxy
- one back-end user per back-end (known in AD).
So we want to first search where a user is by using a front-end account,
and then retry a bind with the user's effective username and password
using its correct DN.
suffixmassage "OU=O3,dc=meta,dc=x1,dc=ch" "OU=O3,dc=ad,dc=x1,dc=ch"
When we try to use idassert-bind above, we always get the following
error in the log:
535a1f25 conn=1000 op=1 <<< meta_search_dobind_init=4
535a1f25 conn=1000 op=1 <<< meta_back_search_start=4
535a1f25 conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*"
535a1f25 conn=1000 op=1 >>> meta_search_dobind_init
535a1f25 conn=1000 op=1 meta_search_dobind_init mc=0x7f17fc008ef0:
non-empty dn with empty cred; binding anonymously
so it looks our identity is never used beyond the proxy to talk to the AD.
I'd like to set up an LDAP backend toward a remote LDAP server. The base DN
of the searches for the remote server is runtime information and can be any
valid DN. I used slapd-ldap and found slapo-rwm which seems like doing
exactly what I need so I configured a suffixmassage, where I replace the
local DN to the remote base DN. So far so good, I got everything working. I
even applied some more manipulations on searches and results by rwm. I was
almost done except for one (not so) tiny thing: I wanted to have local
overrides on certain attributes. I was glad to encounter slapo-translucent
as it documents:
"Entries retrieved from a remote LDAP server may have some or all
attributes overridden, or new attributes added, by entries in the local
database before being presented to the client".
I started to set it up, but for me it looks like impossible to combine it
with rwm. I used the following example to set up translucent:
I tried to apply rwm together with translucent like 1) first. I thought
this is the ideal setup since I want the suffixmassage only when I turn to
the remote LDAP and I want the suffixmassage to be reverted when back from
And the result was:
adding new entry
ldap_add: Object class violation (65)
I was a bit disappointed but tried other combinations as well.
This one resulted in suffixmassage for remote ldap, but also for the
translucent local hdb search, which is obviously not a valid dn for the
As an extra I also faced ITS#5941 (
This one resulted in intact suffix for ldap and a suffixmassage for local,
which is again useless for my case.
I also tried to look at if I can use the obsolete suffixmassage option of
the slapd-ldap, but that does not seem to have an olc schema by looking at
After these trials my conclusion was that I have to find a completely
different way of doing this.
Is it not possible to do a suffixmassage on an ldap backend over
translucent? For me this is so much a basic use case that I am surprised.
Can someone explain if this is a known missing feature or an intentional
limitation? If the latter, why?
Any proposal how to solve local overrides inside slapd? (I wouldn't like to
run two slapd to separate rwm from translucent)
Thanks and Regards,
ps: using OpenLDAP 2.4.28 on an Ubuntu 12.04 LTS
I subscribed to the development mailing list Tuesday, to migrate a thread
discussing the password policy implementation that I was told belonged
there. However, neither of my two postings to that list seem to have been
delivered. I am definitely subscribed, having received a message from the
list, and my messages to openldap-technical are coming through fine, so I
don't think my mail isn't reaching the list.
The list description says the list is semi-moderated, so I'm assuming that
as a new subscriber my postings are awaiting approval. Reviewing the
archives, it doesn't seem like it's that busy of a list. I was just
wondering if anyone knew how long it usually took for a new subscriber to be
approved for posting?
Can anybody explain what the "rid", "sid", and "to" IDs refer to in the syncprov_sendresp message? Example:
slapd: syncprov_sendresp: to=002, cookie=rid=006,sid=003,csn=20140430111351.287889Z#000000#001#000000
I guess the original is from SID==1, the local SID==003. Does it send to SID==2? If so, what is rid==6 referring to?
I have a branch "ou=people" where RDN are in the form "X1234" and NEVER
change for one people.
Ex. : uid=X1234,ou=people,dc=example,dc=org
In this node, I have the login under "eduPersonPrincipalName" attribute
which MAY change.
Some applications doesn't allow us to define which login to use and so take
"uid" attribute by default, not so cool.
Is there any possibility in OpenLDAP to duplicate dynamically an OU with
another RDN to have for example :
I found the previous post of someone else who faced
the same problem I'm encountering, but I did not see a posted
In /etc/openldap/ldap.conf, TLS_REQCERT is set to 'allow'.
I would like to leave this setting, but override it for a
specific invocation of ldapsearch. I have attempted to do so by
setting TLS_REQCERT in ~/.ldaprc and be setting the LDAPTLS_REQCERT
environment variable. Neither has worked.
Interestingly, I _HAVE_ found that I can override TLS_CACERTDIR
in either of those locations.
Is this a bug?
Andrew D. Arenson | aarenson (@) iu.edu
Advanced Biomedical IT Core, Research Technologies, UITS | W (317) 278-1208
RT is a PTI Cyberinfrastructure & Service Center | C (317) 679-4669
Indiana University Purdue University Indianapolis | F (317) 278-1852
Looking at the test source code of 2.4.39 for the ppolicy script, I can see
the ldapsearch is using a '-e ppolicy' option. The man page for
ldapsearch lists 'general extensions' under -e and -E options. But I
cannot figure out what these extensions are.
What is '-e ppolicy' ? and when do you need it?