On 21/01/2011 21:01, L.B. wrote:
Hi all -
Thanks in advance. I know this topic has been discussed at length but I'm fairly new to it and haven't been able to find enough information to get my implementation working. I've been piecing together bits and pieces of what seems like the correct parameters, but I've had no luck... and now that I've resorted to guessing, I'd like to ask for help.
So here's what I'm trying to achieve:
One OpenLDAP server that will A) proxy for a backend AD server and B) maintain a local database for users that are not in AD. The AD system will be used for internal/corp users while the local db will be used for external/3rd party people. The AD system has _some_ of the unix schema attributes, but not all so I will be doing some rewriting on the openldap server. The linux workstations will use the single openldap server and will only be used by internal users and we also have some websites that are for internal/external users.
For the time being, I'm just working on part A - proxy requests for these linux workstations to the backend AD server and get the proper mapping figured out.
My present problem is that my openldap server is connecting anonymously to the AD server and that's no good because that's not allowed. I have a AD service account defined for the openldap server connections, and have configured the correct values for the 'idassert-bind' directive (see below). Performing a manual ldapsearch works fine when I define the same parameters on the command line, but slapd isn't using the correct parameters it seems. Below are the config files, etc for each component... I hope this helps.
./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com" -s sub -D "cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" -W
This is the server config on the openldap server: [...] idassert-bind bindmethod=simple binddn="cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret" access to dn.subtree="dc=mascorp,dc=com"
Look into the "mode" parameter of idassert-bind. For example, by adding "mode=none" to the end of the above line, slapd will always use the given binddn and credentials to forward anonymous connections to AD. Of course, this may be seen as a security flaw: you're giving anonymous access via OpenLDAP to a directory that doesn't allow anonymous acces - use with care (this said, if access to your OpenLDAP directory is protected in another way, I see no reason not to do this).
For your part B), I suggest looking into the subordinate keyword: add a "hdb" database to your config, and place the AD proxy as a subordinate to that. You'll then be able to have "local" users in OpenLDAP, and a subtree that is a proxy to your AD.
Once you're there, it may be worth while setting up pcache (caching proxy), to save a bit of traffic between OpenLDAP and AD, and possibly provide a security against AD being unavailable and "breaking" your OpenLDAP installation.
Hope this helps, Jonathan