Hi,
I have Active Directory server, OpenLDAP server and a client machine. AD is based on Windows Server 2003, OpenLDAP is 2.3.43-3.el5 running on CentOS 5 i386, client machine is as well CentOS 5.
Does OpenLDAP server in any version, allows me to rewrite/remap/merge results from:
- Active Directory - internal LDAP database (or any database)
to make them suitable to nss_ldap?
AD doesn't have all attributes which are needed by nss_ldap, so I thought to keep internal LDAP database with missing information (uidNumber, loginShell, etc) and merge, rewrite, remap or meta this information, and then give that result to the nss_ldap.
I understand that it is possible to merge with slapd-meta different DIT from different databased as a single DIT, but what I need here is to merge attributes from one db, with second db (Active Directory), then rewrite that, and finaly return result to the querying client.
What I mean is, is it possible to rewrite/remap results from AD which look like that:
# (sAMAccountName=kucharskim) dn: CN=kucharskim,CN=Users,DC=euops,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: kucharskim distinguishedName: CN=kucharskim,CN=Users,DC=euops,DC=lan instanceType: 4 whenCreated: 20091117183353.0Z whenChanged: 20091117183353.0Z uSNCreated: 15484 uSNChanged: 15488 name: Mikolaj Kucharski objectGUID:: PLah511UiUKib3pt8HCJ+g== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129041574477164624 lastLogoff: 0 lastLogon: 129046275442578437 pwdLastSet: 129029564332783194 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA1MNb9pJhAvyslWmgfAcAAA== accountExpires: 9223372036854775807 logonCount: 9 sAMAccountName: kucharskim sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=euops,DC=lan memberOf: CN=testgroup,CN=ActiveDirectoryGroups,DC=euops,DC=lan
with pieces missing from another ldap db, to something like that:
# (uid=kucharskim) dn: uid=kucharskim,ou=People,dc=ldapdomain,dc=lan uid: kucharskim cn: Mikolaj Kucharski objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12561 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10207 gidNumber: 10207 homeDirectory: /home/kucharskim gecos: Mikolaj Kucharski
# (memberUid=kucharskim) dn: cn=testgroup,ou=Groups,dc=ldapdomain,dc=lan objectClass: posixGroup objectClass: top cn: testgroup gidNumber: 50201 memberUid: kucharskim memberUid: ldapuser1 memberUid: ldapuser2
I see that this is something overly complicated, but I wanted to know is that possible. If it is, could someone give me which version of OpenLDAP supports it and where I can read how to implement that. Thank you.