I have a requirement to link up the contents of an AD and an eDir into a single meta dir.
I am testing all this on a small system. The basic idea is that a user will be able to do
a search on their uid and then bind to it. Their account could be in either the AD or the
eDir. I would want to support both simple and digest-md5 binds. Both eDir and AD support
SASL digest md5 binds but AD does not allow simple binds. I do not wish to change the
back ends but just work with what is there.
In my test system I have dc=blueloop,dc=net at the top with ou=edir and ou=ad to be mapped
under the top level. My gerdesj account has all the relavent rights in all cases.
I have gone around in circles on this several times! I can do a browse of the edir
container fine ie a search of the ou=edir,dc=blueloop,dc=net as anon returns stuff as I
This seems to work OK:
ldapsearch -h localhost '(objectclass=*)' -D
"ou=edir,dc=blueloop,dc=net" -x -W
Trying to use SASL fails:
ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' '(objectclass=*)'
-Y DIGEST-MD5 -U "dn:cn=gerdesj,ou=edir,dc=blueloop,dc=net"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
This seems to imply to me that the OpenLDAP box is trying to auth me rather than passing
this off to the system it is proxying. Why ?
I would also like to make the AD side of things such that it will allow a simple anonymous
connection to search and then allow through a simple bind
I've read everything I can find but have run out of steam. Thanks for any advice or
Here is a chunk out of my slapd.conf
#ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' -s sub -x -D ''
Registered Address : 7 Manor Buildings, North Perrott, Crewkerne, Somerset, TA18 7ST
Registered England & Wales - 3981322
This e-mail and any files attached with it are confidential and for the sole use of the
intended recipient(s). If you are not the intended recipient(s) you are prohibited from
using, copying or distributing this or any information contained in it and should
immediately notify the sender and delete the message from your system.
Internet communications are not secure and Blueloop Limited is not responsible for
unauthorised use by third parties nor for alteration or corruption in transmission.
Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk
of software viruses, it cannot accept liability for any damage which you may suffer as a
result of such viruses, and we therefore recommend you carry out your own virus checks on
receipt of any e-mail.