I've been banging my head against the wall with this project for the last months and still haven't found a decent solution for my problem.
I'm trying to set up OpenLDAP to act as a proxy for Active Directory. OpenLDAP should be the internet-facing interface for all external queries for the AD catalog. I've gotten the connection set up and I'm able to retrieve and search for most important values. However, when I try to get out the group membership of the different objects, I've encountered some problems.
When doing a search directly towards Active Directory I can see the memberOf attributes for the objects [1], but when I perform the very same search through the proxy, those attributes have been ignored/stripped away from the result [2].
I've tried including schemas for Active Directory found on the internet (like http://www.grotan.com/ldap/microsoft.schema), but if I try to include this in OpenLDAP I get lots and lots of errors and I have to start commenting out different attributes and objecttypes to get OpenLDAP to start. Example of errors are stuff like:
/etc/ldap/schema/microsoft2.schema: line 30 objectclass: AttributeType not found: "remoteSource"
And then I comment out the objectclass and retry. And this basically goes on and on forever.
I've also tried just including the attribute I'm looking for, namely memberOf, like so:
attributetype ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION )
And then I get the following error when I try to start slapd:
/etc/ldap/schema/activedirectory.schema: line 60 attributetype: AttributeType inappropriate USAGE: "memberOf" /etc/ldap/slapd.conf: line 15: <include> handler exited with 1!
So my question is basically; how can I get the memberOf attribute included in my searches through OpenLDAP? Do I need to include the schema or am I approaching this from the wrong angle? What needs to be done to set up OpenLDAP as a complete transparent proxy towards Active Directory - basically having it behave as it was the AD itself answering whenever you query the proxy?
I'd be very grateful for whatever question or feedback I can get, since this has been bothering me for a very long time now.
I've also included my slapd.conf file [3] and the schema [4] I've tried including.
- Marius
[1] http://pastebin.com/E6GVViGE [2] http://pastebin.com/W28KPSky [3] http://pastebin.com/T5Wd4JEB [4] http://pastebin.com/8AGtnj2Q
Hi,
On 20/08/2010 14:24, Marius Flage wrote:
I'm trying to set up OpenLDAP to act as a proxy for Active Directory. OpenLDAP should be the internet-facing interface for all external queries for the AD catalog. I've gotten the connection set up and I'm able to retrieve and search for most important values. However, when I try to get out the group membership of the different objects, I've encountered some problems.
When doing a search directly towards Active Directory I can see the memberOf attributes for the objects [1], but when I perform the very same search through the proxy, those attributes have been ignored/stripped away from the result [2].
[...]
So my question is basically; how can I get the memberOf attribute included in my searches through OpenLDAP? Do I need to include the schema or am I approaching this from the wrong angle? What needs to be done to set up OpenLDAP as a complete transparent proxy towards Active Directory - basically having it behave as it was the AD itself answering whenever you query the proxy?
I have an OpenLDAP proxy running to AD, and I just checked that I can see the memberOf attribute fine in search results. This is using the latest 2.4.23, and no added schema.
OpenLDAP has a special feature whereby if it sees an unknown attribute description in a search result from a proxied LDAP server, it adds a pseudo-attribute definition to it's local schema. You can see these attributes in CAPITALS in your search results.
So, in order for your OpenLDAP proxy to be able to return memberOf attributes, it first needs to know about them via a search result. Make sure your searches do not include filters on unknown attributes.
Also, I note that your slapd.conf contains a configuration for the "memberof" overlay over your ldap database. This seems unnecessary, an may well cause problems. I suggest you remove it.
Hope this helps, Jonathan
openldap-technical@openldap.org
-
Jonathan Clarke -
Marius Flage