Re: OpenLDAP Metadirectory - openldap-technical

16 Apr 2014


      Hi,
i have in my company two ActiveDirectories. 
as i have an application which has only the possiblity to query one LDAP-server for authentication i thought about a metadirectory as described here: 
http://ltb-project.org/wiki/documentation/general/sasl_delegation 
and here 
https://www.memolinux.info/doku.php?id=unix:ldap:openldapads&s=meta#back...
so i started 
with openldap 2.4.31 from debian 7.4.
my starting configuration looks like below:
what i was missing from the docu, i need a schema, where sAMAccountName, proxyAddresses and so on is defined. so i created the msad.schema as described here: 
http://serverfault.com/questions/151688/configuring-openldap-as-a-active-dir...
now i don't get an error when i startup slapd. 
but when i do an search to the metadirectory for example: "ldapsearch -x -D cn=manager,dc=meta -b dc=meta uid=testuser", i see in the wireshark 
-the bindreques 
-the searchrequest within DC=D6200,DC=comp,DC=com 
-but the search criteria looks like this: 
(!(objectclass=*)) not (objectclass=*) 
which finds nothing. 
and gives me 0 results.
also i found:
http://www.openldap.org/lists/openldap-technical/201206/msg00168.html
But what here unclear, what schema definitions do i need with this?
could someone point me to my error, as i am nearly blind for comparing. 
Thomas
slapd.conf 
==========
# Schema and objectClass definitions 
include /etc/ldap/schema/core.schema 
include /etc/ldap/schema/cosine.schema 
include /etc/ldap/schema/nis.schema 
include /etc/ldap/schema/inetorgperson.schema 
include /etc/ldap/schema/misc.schema 
include /etc/ldap/schema/msad.schema
pidfile /var/run/slapd/slapd.pid 
loglevel 99
# Where the dynamically loaded modules are stored 
modulepath /usr/lib/ldap 
moduleload back_hdb 
moduleload back_ldap 
moduleload back_meta 
moduleload rwm
access to * 
by * read
# Database 
database meta 
suffix "dc=meta" 
rootdn "cn=Manager,dc=meta" 
rootpw secret
# LDAP 1 
uri "ldap://192.168.0.2:3268/ou=vzp,dc=meta"
lastmod off 
suffixmassage "ou=vzp,dc=meta" "DC=D6200,DC=comp,DC=com" 
idassert-bind bindmethod=simple 
binddn="CN=Meta,CN=Users,DC=D6200,DC=comp,DC=com" 
credentials="secret" 
mode=none 
flags=non-prescriptive 
idassert-authzFrom "dn.exact:cn=Manager,dc=meta"
overlay rwm 
rwm-map objectclass account user 
rwm-map attribute mail proxyAddresses 
rwm-map attribute uid sAMAccountName 
rwm-map attribute cn name 
rwm-map attribute *
# LDAP 2 
uri ldap:// 192.168.13.2 :3268/ou=azp,dc=meta 
lastmod off 
suffixmassage "ou=azp,dc=meta" "DC=d5820,DC=muc,DC=com" 
idassert-bind bindmethod=simple 
binddn="CN=Meta,CN=Users,DC=d5820,DC=muc,DC=com" 
credentials="secret" 
mode=none 
flags=non-prescriptive 
idassert-authzFrom "dn.exact:cn=Manager,dc=meta"
overlay rwm 
rwm-map objectclass account user 
rwm-map attribute mail proxyAddresses 
rwm-map attribute uid sAMAccountName 
rwm-map attribute cn name 
rwm-map attribute *