I've been banging my head against the wall with this project for the last months and still haven't found a decent solution for my problem.
I'm trying to set up OpenLDAP to act as a proxy for Active Directory. OpenLDAP should be the internet-facing interface for all external queries for the AD catalog. I've gotten the connection set up and I'm able to retrieve and search for most important values. However, when I try to get out the group membership of the different objects, I've encountered some problems.
When doing a search directly towards Active Directory I can see the memberOf attributes for the objects [1], but when I perform the very same search through the proxy, those attributes have been ignored/stripped away from the result [2].
I've tried including schemas for Active Directory found on the internet (like http://www.grotan.com/ldap/microsoft.schema), but if I try to include this in OpenLDAP I get lots and lots of errors and I have to start commenting out different attributes and objecttypes to get OpenLDAP to start. Example of errors are stuff like:
/etc/ldap/schema/microsoft2.schema: line 30 objectclass: AttributeType not found: "remoteSource"
And then I comment out the objectclass and retry. And this basically goes on and on forever.
I've also tried just including the attribute I'm looking for, namely memberOf, like so:
attributetype ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION )
And then I get the following error when I try to start slapd:
/etc/ldap/schema/activedirectory.schema: line 60 attributetype: AttributeType inappropriate USAGE: "memberOf" /etc/ldap/slapd.conf: line 15: <include> handler exited with 1!
So my question is basically; how can I get the memberOf attribute included in my searches through OpenLDAP? Do I need to include the schema or am I approaching this from the wrong angle? What needs to be done to set up OpenLDAP as a complete transparent proxy towards Active Directory - basically having it behave as it was the AD itself answering whenever you query the proxy?
I'd be very grateful for whatever question or feedback I can get, since this has been bothering me for a very long time now.
I've also included my slapd.conf file [3] and the schema [4] I've tried including.
- Marius
[1] http://pastebin.com/E6GVViGE [2] http://pastebin.com/W28KPSky [3] http://pastebin.com/T5Wd4JEB [4] http://pastebin.com/8AGtnj2Q