Hello everyone.

First of all, I'm a newbie in OpenLDAP Server administration (but not in Active Directory). Said that, this is my goal:

- set up an LDAP Front End-Server to a AD Back-End Server - and, so far, there are many infos about this.

But I wanna do it in an environment where there are many UX services which binding to AD Server, and any service of these needs ldap-client configuration, with insertion and storing of credential for binding. One of these is Dovecot which do ldap-authentication of any user of its by a typical fashion...

user: ad_username@my.ad psw: ad_username_password

Hence, I wish to avoid spreading of AD-binding-credentials gathering this couple of data in just one point of my system: that is, OpenLDAP proxy or SLAPD Front-End.

I've already tried to do it.

First of all, I got an error at installation stage which gave me crazy and I've not yet solved: i.e, after copy of DB_CONFIG example file to lib directory:

root@lamp ~# rm -fr /var/lib/ldap/* && rm -fr /etc/ldap/slapd.d/* && cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG

when I run:

root@lamp ~# slapadd -v -l xdom.ldif+

I get an error like the following:

52e1597b bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (14).

Even though DB_CONFING is there and has right permissions... Anyway, I discovered that this issues was not blocking, so I went forward.

I populate splap.d:

root@lamp ~# slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 52e280b2 bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (14). Expect poor performance for suffix "dc=xdom,dc=loc".

I gave right permission to directories:

root@lamp ~# chown -R openldap:openldap /etc/ldap/slapd.d/ && chown -R openldap:openldap /var/lib/ldap/

and I started LDAP Service:

root@lamp ~# service slapd start

At this time, I tested OpenLDAP Proxy Server by 5 combinations of ldap request:

1) bypassing OpenLDAP Proxy Server and directly binding AD Server by conventional D.N.:

ldapsearch -H ldap://server.my.ad -D "cn=ad_user,ou=ced,dc=my,dc=ad" -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

2) bypassing OpenLDAP Proxy Server and directly binding AD Server by U.P.N (User Principal Name):

ldapsearch -H ldap://server.my.ad -D ad_user@my.ad -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

3) through OpenLDAP Proxy Server without any binding:

ldapsearch -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

4) through OpenLDAP Proxy Server and binding by conventional D.N.:

ldapsearch -D "cn=ad_user,ou=ced,dc=my,dc=ad" -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

5) through OpenLDAP Proxy Server and binding by U.P.N (User Principal Name):

ldapsearch -D ad_user@my.ad -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" - LLL "(sAMAccountName=*)"

and it DOES NOT works.

And it is a very BIG BIG problem for me: I cannot force users to authenticate themselves in Dovecot by complicated and unacceptable (because of comma, equal and space characters) D.N.!!!!

I tried to face this issue by Rewriting Overlay, just to discover that these library rewrite BINDDN only after "dnPrettyNormal()" call (making "rewriting- method" useless...)

Now, please: help me!!!! What can I do? How can I solve my issue??? And how can I avoid DB_CONFING issue?

Regards, Egidio.

PS: follow my ldap.conf and slapd.conf

## LDAP.CONF ####################################

BASE dc=xdom,dc=loc URI ldap://localhost TLS_CACERT /etc/ssl/certs/ca-certificates.crt

## SLAPD.CONF ####################################

include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args

logfile /var/log/slapd.log loglevel -1

modulepath /usr/lib/ldap

moduleload back_bdb moduleload back_ldap moduleload rwm

tool-threads 1

database bdb suffix "dc=xdom,dc=loc" checkpoint 1024 15 rootdn "cn=droot,dc=xdom,dc=loc" rootpw {SSHA}Xhy4Gc0k5DU+gfpbpkv+PJWJ92Itp5rJ

Database ldap Suffix "dc=ts,dc=dipvvf,dc=it" Uri "ldap://server.my.ad/ ldap://server2.my.ad/" rebind-as-user idassert-bind bindmethod=simple binddn="cn=email ed. demon,ou=email,ou=virtualization,ou=ced,dc=ts, dc=dipvvf,dc=it" credentials=xxxxxx mode=none

idassert-authzFrom "*"

overlay rwm rwm-rewriteEngine on rwm-rewriteMap ldap samacc "ldap://vfdc1.ts.dipvvf.it/dc=ts,dc=dipvvf,dc=it?dn? sub?samaccountname="

#"ldap:///dc=ts,dc=dipvvf,dc=it?dn?sub?samaccountname=" rwm-rewriteContext bindDN rwm-rewriteRule "^([^,]+)@[^,]+$" "${samacc($1)}" ":@I"