I'm trying to proxy an AD and an OpenLDAP server on a separate machine to get a 'combined' view.
First problem (or the primary one?) is that the DN doesn't match.
AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld
We have absolutely no write/modify access to the AD (we barely got search/compare access to parts of the AD!
And the OL server... There's way to much work to modify (as in massaging the DB and reload it) that (at the moment). It's also running 2.3 at the moment, and we don't want to upgrade that any time soon.
The theory is/was to:
1. Setup a LDAP/META proxy to the AD to act as the 'local' DB. 2. Rewrite the AD DNs to match the OL DB 3. Cache some common queries 4. Glue the OL DB with the AD DB, the OL acting as the 'remote' DB.
Unfortunately, I can't get step four to work. Any queries seem to loop to the localhost.
I guess I could use rwm on the OL server to massage the DN (before it's presented to clients and the proxy), but I much rather do any rewrite etc on my new proxy server if possible.
OR
Setup a second OL server on the current OL server, but on a different port (hidden), which proxies the main OL and rewrites the DN to match the AD. This hidden server could then be proxied by the new LDAP proxy, cached etc...
But either of the alternative solution isn't pretty :).
I'll have to maintain and support THREE LDAP servers (one DB and two proxies), which seems a little to much work.
And besides, the OL have all the UNIX (posixAccount etc) stuff (only), with very few users (most of the organization don't need UNIX accounts) and most of the clients is configured to use that when searching etc. There's also other reasons why we would like to keep the OL server layout...
Parts of my slapd.conf:
#######################################################################
database ldap suffix "dc=company,dc=tld" rootdn "cn=Manager,dc=company,dc=tld" rootpw "secret"
# --------------------------------------------------------------------- ##### Active Directory Server (will act as LOCAL DB) uri ldap://ad.company.tld
idassert-bind bindmethod=simple binddn ="cn=unixldap,ou=service,ou=users,ou=selud,dc=rd,dc=company,dc=tld" credentials="Secret1" mode=none idassert-authzFrom "*"
# --------------------------------------------------------------------- #### Rewrite/Remap # http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5941#followup7 overlay rwm rwm-rewriteEngine yes rwm-normalize-mapped-attrs yes
rwm-map attribute uid sAMAccountName rwm-map attribute gecos displayName rwm-map attribute workPhone telephoneNumber rwm-map attribute address1 streetAddress rwm-map attribute city l rwm-map attribute state st rwm-map attribute zip postalCode rwm-map attribute country co rwm-map attribute c country rwm-map attribute distinguishedName entryDN rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group
rwm-rewriteContext searchEntryDN rwm-rewriteRule "cn=(.*)?ou=Office,ou=Users,ou=ORG1,dc=ORG2,(.*)" "uid=$1ou=People,dc=ORG3,$2" ":@"
rwm-rewriteContext searchAttrDN alias searchEntryDN rwm-rewriteContext matchedDN alias searchEntryDN
# --------------------------------------------------------------------- #### Proxy Cache overlay pcache pcache hdb 2500 3 1 300
pcacheAttrset 0 uid uidNumber gidNumber cn sn givenName distinguishedName pcacheAttrset 1 c physicalDeliveryOfficeName streetAddress mail pcacheAttrset 2 uid uidNumber gidNumber cn sn givenName distinguishedName c physicalDeliveryOfficeName streetAddress mail
pcacheTemplate (uid=) 0 3600 pcacheTemplate (cn=) 0 3600 pcacheTemplate (|(uid=)(cn=)) 0 3600 pcacheTemplate (|(cn=)(uid=)) 0 3600 pcacheTemplate (objectClass=) 2 3600 pcacheTemplate (|(objectClass=)(cn=)) 2 3600 pcacheTemplate (gecos=) 1 3600 pcacheTemplate (&(sn=)(givenName=)) 1 3600
cachesize 20 directory /usr/local/turbo/var/openldap-data index objectClass eq index cn,sn,uid,mail pres,eq,sub
# --------------------------------------------------------------------- #### Translucent Proxy overlay translucent translucent_strict yes #translucent_local uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail #translucent_remote uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail
### OpenLDAP Server (will act as REMOTE DB) uri "ldap://ol.company.tld/" network-timeout 3 chase-referrals no
acl-bind binddn="cn=Manager,dc=company,dc=tld" credentials="secret" idassert-bind bindmethod=simple binddn="cn=Manager,dc=company,dc=tld" credentials="Secret2" mode=none idassert-authzFrom "*"
#######################################################################
Disclaimer: Much of this haven't been optimized yet. I'll fine tune and tweak stuff once I could get it to work...
-- Life sucks and then you die