Hi,
On 20/08/2010 14:24, Marius Flage wrote:
I'm trying to set up OpenLDAP to act as a proxy for Active Directory. OpenLDAP should be the internet-facing interface for all external queries for the AD catalog. I've gotten the connection set up and I'm able to retrieve and search for most important values. However, when I try to get out the group membership of the different objects, I've encountered some problems.
When doing a search directly towards Active Directory I can see the memberOf attributes for the objects [1], but when I perform the very same search through the proxy, those attributes have been ignored/stripped away from the result [2].
[...]
So my question is basically; how can I get the memberOf attribute included in my searches through OpenLDAP? Do I need to include the schema or am I approaching this from the wrong angle? What needs to be done to set up OpenLDAP as a complete transparent proxy towards Active Directory - basically having it behave as it was the AD itself answering whenever you query the proxy?
I have an OpenLDAP proxy running to AD, and I just checked that I can see the memberOf attribute fine in search results. This is using the latest 2.4.23, and no added schema.
OpenLDAP has a special feature whereby if it sees an unknown attribute description in a search result from a proxied LDAP server, it adds a pseudo-attribute definition to it's local schema. You can see these attributes in CAPITALS in your search results.
So, in order for your OpenLDAP proxy to be able to return memberOf attributes, it first needs to know about them via a search result. Make sure your searches do not include filters on unknown attributes.
Also, I note that your slapd.conf contains a configuration for the "memberof" overlay over your ldap database. This seems unnecessary, an may well cause problems. I suggest you remove it.
Hope this helps, Jonathan