On Wed, 25 Mar 2009 16:49:20 +0100 Pierangelo Masarati ando@sys-net.it wrote:
Bogdan B. Rudas wrote:
Hello.
I use OpenLDAP as proxy for M$ AD. The problem is: I can set filter only by some fileds like CN or Name. I can't query AD by sAMAccountName via proxy Also I can't see many AD-specific fileds while browsing AD via OpenLDAP proxy.
Request to proxy:
ldapsearch -M -LLL -H ldap://localhost:389 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' sAMAccountName
Return nothing.
Request directly to AD LDAP:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' cn
Returns:
dn: CN=Bogdan Rudas.......skipped.... cn: Bogdan Rudas
Yet another request to proxy:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn sAMAccountName
dn: cn=Bogdan Rudas.......skip..... cn: Bogdan Rudas SAMACCOUNTNAME: bogdan.rudas
Slapd version 2.4.11-1 Running on Debian 5.0 amd64
OpenLDAP config:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap moduleload back_ldap
access to dn.base="" by * read access to * by self read by users read by anonymous auth
loglevel 256
###################################################### # database definitions ######################################################
database ldap suffix "dc=intra,dc=nival,dc=com" uri "ldap://ADserver.domain.company.com:1234" acl-bind bindmethod=simple binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" credentials=password chase-referrals yes
Your proxy knows nothing about those schema items, that's why they are ignored by slapd. You need to extract that information from AD, format it according to slapd's syntax for "attributeType" and "objectClass" keyworks in slapd.conf(5) and pre-load them muck like you do with other schema items (the "include <file>.schema" lines above).
p.
Hello! Thank you for your response.
I made custom schema with - I get values with Apache Directory Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches using this filed.
There so much objectclasses in AD, how can I determine which of them I really need? I used slapd -d 1 and -d 512 - both was like a woodoo magick for me because I don't know for what should I look.