Hi,
I am going through the hoops of setting up an LDAP proxy (OpenLDAP 2.3 as supplied with Red Hat 5.6) in order to expose parts of our Active Directory to other services which for political and security reasons (that I have no influence in) we do not want talking directly to the AD. In order to achieve this I would like to use ldap-back as the database to act as the proxy to the AD and then a module such as translucent to mask out the bits of the AD that we do not want exposed.
So far I am fighting to get ldap-back working as I would expect, at the moment no matter what I do it fails to bind against the AD and a tcp dump demonstrates this failure. Anonymously binding and querying the AD is not an option and so I have to specify a user and get ID assertion working to force a bind against the AD as a specific known user. This does mean that anything (at the moment) could query our proxy and so get at the exposed parts of the AD and for the moment that is intentional. I am also aware that TLS etc are not enabled - this is deliberate as it makes packet sniffing for debugging easier.
So for my slapd.conf I have:
[slapd.conf]
database ldap uri "ldap://myad.canterbury.ac.uk/" suffix "dc=myad,dc=canterbury,dc=ac,dc=uk"
acl-bind bindmethod=simple binddn="CN=ldapproxy,OU=AD Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk" credentials="password" access to * by * read
idassert-bind bindmethod=simple
authzId=dn:CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC =uk
binddn="CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk " credentials="password" idassert-authzFrom "dn.regex:.*"
[end slapd.conf]
At the moment I don't really care that anyone can read anything from the AD since I can't even bind, that will be tightened up in due course. I have seen others over the years have had similar issues and I have noted the responses they have received as well as reading the man pages and the Admin Guide, but am now at the point where some community support would be appreciated.
Thanks
Paul