I’m running OpenLDAP 2.3.43 and have a copy of OpenLDAP 2.4 installed on another server to test with.  I’m not sure which is better for this.

 

I’m trying to simplify LDAP structure and group authorized users into a few sub-OUs and have decided that OpenLDAP and a meta-backend is the way to proxy AD.  My problem is I’m hitting some snags and need some help from an expert.

 

Our AD users are structured as ou=employees,dc=org,dc=com and ou=clients,dc=org,dc=com.

 

I basically just want to proxy them to be:

ou=employees,ou=users,O=org and ou=clients,ou=users,o=org and move away from the dc naming convention for clarification of which system we’re authenticating to.

 

# settings for clients

database        meta

suffix          "ou=clients,dc=org,dc=com"

subordinate

uri             "ldap://ldap/ou=clients,dc=org,dc=com"

suffixmassage   " ou=clients,dc=org,dc=com" "ou=clients,ou=Users,o=org"

rewriteEngine on

RewriteRule "sAMAccountName=(.*)ou=clients,dc=org,dc=com$" "%1ou=clients,ou=Users,o=org" ":"

rebind-as-user true

chase-referrals yes

 

# settings for employees

database        meta

suffix          "ou= employees,dc=org,dc=com"

subordinate

uri             "ldap://ldap/ou= employees,dc=org,dc=com"

suffixmassage   " ou= employees,dc=org,dc=com" "ou= employees,ou=Users,o=org"

rewriteEngine on

RewriteRule "sAMAccountName=(.*)ou= employees,dc=org,dc=com$" "%1ou= employees,ou=Users,o=org" ":"

rebind-as-user true

chase-referrals yes

 

#primary

database        meta

suffix          "dc=org,dc=com"

uri             "ldap://jcdc1.etsu.edu/dc=org,dc=com”

suffixmassage   "dc=org,dc=com" "ou=Users,o=org"

rewriteEngine on

RewriteRule "sAMAccountName=(.*)dc=org,dc=com$" "%1ou=Users,o=org" ":"

rebind-as-user true

chase-referrals yes

 

I also have a local bdb database for o=org.  I can connect to the ldap server using a local account that exists in the bdb database, but cannot connect as a user that exists in the proxied ldaps.  For example, if I pass credentials of cn=user,ou=employees,ou=users,o=org….I get auth failures.  Can anyone shed a little light on the subject?  In testing, I was able to struggle and get a similar configuration working with an ldap backend, but it wouldn’t allow me to connect to more than one container and I wasn’t willing to do a blanket LDAP search.

 

Thanks,

 

-Ryan