Hey guys,
I got a huge problem here. I’ve been trying to merge users from a local LDAP (ou=local-users,ou=accounts,dc=domain: which authenticates against a remote active directory (which is not ldap://remote.site) with sasl) with local users who use a local stored password and with users from a remote active directory without storing them locally. Let’s say i have the following structure:
Local-LDAP (ldap://localhost):
* dc=domain * ou=accounts * ou=local-users (with sasl) * ou=remote-users (Meta-Backend Proxy to ldap://remote.site – ou=accounts,dc=remote-domain) * ou=users (without sasl; password is stored locally)
Remote-AD (ldap://remote.site):
* dc=remote-domain * ou=accounts * <All Users are stored in this OU>
The local LDAP structure works as expected. When i request ou=accounts,dc=domain i get all users located in ou=local-users and ou=users. And now i point out the problem: I only get the object ou=remote-users without the users from ou=accounts,dc=remote-domain so the ou=remote-users seems to be empty. But when i explicit request the full DN of ou=remote-users (ou=remote-user,ou=accounts,dc=domain) i get the full list of all users located in ou=accounts,dc=remote-domain.
Here’s my slapd.conf: ####################################################################### # Global Directives: ####################################################################### # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values logfile /etc/ldap/slapd.log loglevel 1
sasl-host localhost sasl-secprops none
####################################################################### # Dynamic Module Directives ####################################################################### # Base Path and individual modules. modulepath /usr/lib/ldap moduleload back_hdb.so moduleload refint.so moduleload memberof.so moduleload back_meta.so moduleload rwm.so
# Defining referral integrity module to make sure the group relations are automatically updated. NOTE: Only when a 'delete' or 'edit' command has been issued. overlay refint refint_attributes member uniqueMember seeAlso refint_nothing cn=EMPTY
# Defining memberof module which make sure to update the group affiliation for each user. NOTE: Added an own attribute to all users named: 'memberOf' which contains all groups. overlay memberof
####################################################################### # Database Directives: ####################################################################### database meta suffix "ou=remote-users,ou=accounts,dc=domain" readonly off lastmod off
uri "ldap://remote.site/ou=remote-users,ou=accounts,dc=domain" suffixmassage "ou=remote-users,ou=accounts,dc=domain“ „ou=accounts,dc=remote-domain" idassert-bind bindmethod=simple binddn=„cn=root,dc=remote-domain" credentials=„root" mode=none flags=non-prescriptive idassert-authzFrom „dn.exact:cn=root,dc=remote-domain"
database hdb directory /var/lib/ldap suffix „dc=domain" rootdn "cn=root,dc=domain" rootpw root index objectclass eq index uid eq,sub lastmod off readonly off
My Search Results at parent OU:
#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b "ou=accounts,dc=domain“ dn
# extended LDIF # # LDAPv3 # base <ou=accounts,dc=domain> with scope subtree # filter: (objectclass=*) # requesting: dn # with manageDSAit control #
# accounts, domain dn: ou=accounts,dc=domain
# local-users, accounts, domain dn: ou=local-users,ou=accounts,dc=domain
# frank, local-users, accounts, domain dn: cn=frank,ou=local-users,ou=accounts,dc=domain
# remote-users, accounts, domain dn: ou=remote-users,ou=accounts,dc=domain
# users, accounts, domain dn: ou=users,ou=accounts,dc=domain
# peter, users, accounts, domain dn: cn=peter,ou=users,ou=accounts,dc=domain
My Search Results at child and proxied OU:
#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b „ou=remote-accounts,ou=accounts,dc=domain“ dn
# extended LDIF # # LDAPv3 # base <ou=remote-users,ou=accounts,dc=domain> with scope subtree # filter: (objectclass=*) # requesting: dn # with manageDSAit control #
# remote-users, accounts, domain dn: ou=remote-users,ou=accounts,dc=domain
dn: cn=albert,ou=remote-users,ou=accounts,dc=domain
I hope you guys can help me out. If you have further question, please leave a mail.
Kind regards, Marvyn :)