Am Thu, 10 Aug 2017 12:54:38 -0400 schrieb JOSE L MARTINEZ-AVIAL jlmagc@gmail.com:
Hello, I'm trying to combine my test openldap (MDB database) with my production AD installation, so I can have the production users access my test systems. In order to do that I've created two databases in my slapd.conf, as follows:
####################################################################### # database definitions ####################################################################### include /usr/local/etc/openldap/slapd-meta-ad-prd.conf include /usr/local/etc/openldap/slapd-mdb.conf
The configuration file for the AD connection is as follows:
database meta suffix "dc=bsi,dc=test,dc=com" uri "ldap://miadc01.mia.usa.sinvest/dc=bsi,dc=test,dc=com" suffixmassage "dc=bsi,dc=test,dc=com" "dc=mia,dc=usa,dc=sinvest" idassert-bind bindmethod=simple binddn="cn=Test User,cn=users,dc=mia,dc=usa,dc=sinvest" credentials=xxxxx
The configurtion file for the MDB is: database mdb maxsize 1073741824
suffix "dc=test,dc=com" rootdn "cn=Manager,dc=test,dc=com"
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # Added by pplu to support root authentication rootpw xxxxxxx # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data/mdb # Indices to maintain index objectClass eq overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniquemember
So the first database uses the sufix "dc=bsi,dc=test,dc=com", and the second one uses "dc=test,dc=com". The idea is that the AD would appear as a branch of the development database. I've found that I can search the AD by using the search DN "dc=bsi,dc=test,dc=com", but if I try to look with DN "dc=test,dc=com", only the test database is searched. The search does not combine both databases. How can I do it?
You may consider to glue both databases to a single namingContext by declaring "dc=bsi,dc=test,dc=com" as subordinate database, see man slapd.conf(5). But this requires a single rootDN.
-Dieter