I'm running OpenLDAP 2.3.43 and have a copy of OpenLDAP 2.4 installed on another server to test with. I'm not sure which is better for this.
I'm trying to simplify LDAP structure and group authorized users into a few sub-OUs and have decided that OpenLDAP and a meta-backend is the way to proxy AD. My problem is I'm hitting some snags and need some help from an expert.
Our AD users are structured as ou=employees,dc=org,dc=com and ou=clients,dc=org,dc=com.
I basically just want to proxy them to be: ou=employees,ou=users,O=org and ou=clients,ou=users,o=org and move away from the dc naming convention for clarification of which system we're authenticating to.
# settings for clients database meta suffix "ou=clients,dc=org,dc=com" subordinate uri "ldap://ldap/ou=clients,dc=org,dc=com" suffixmassage " ou=clients,dc=org,dc=com" "ou=clients,ou=Users,o=org" rewriteEngine on RewriteRule "sAMAccountName=(.*)ou=clients,dc=org,dc=com$" "%1ou=clients,ou=Users,o=org" ":" rebind-as-user true chase-referrals yes
# settings for employees database meta suffix "ou= employees,dc=org,dc=com" subordinate uri "ldap://ldap/ou= employees,dc=org,dc=com" suffixmassage " ou= employees,dc=org,dc=com" "ou= employees,ou=Users,o=org" rewriteEngine on RewriteRule "sAMAccountName=(.*)ou= employees,dc=org,dc=com$" "%1ou= employees,ou=Users,o=org" ":" rebind-as-user true chase-referrals yes
#primary database meta suffix "dc=org,dc=com" uri "ldap://jcdc1.etsu.edu/dc=org,dc=com" suffixmassage "dc=org,dc=com" "ou=Users,o=org" rewriteEngine on RewriteRule "sAMAccountName=(.*)dc=org,dc=com$" "%1ou=Users,o=org" ":" rebind-as-user true chase-referrals yes
I also have a local bdb database for o=org. I can connect to the ldap server using a local account that exists in the bdb database, but cannot connect as a user that exists in the proxied ldaps. For example, if I pass credentials of cn=user,ou=employees,ou=users,o=org....I get auth failures. Can anyone shed a little light on the subject? In testing, I was able to struggle and get a similar configuration working with an ldap backend, but it wouldn't allow me to connect to more than one container and I wasn't willing to do a blanket LDAP search.
Thanks,
-Ryan