Hi,
I have Active Directory server, OpenLDAP server and a client machine. AD is based on Windows Server 2003, OpenLDAP is 2.3.43-3.el5 running on CentOS 5 i386, client machine is as well CentOS 5.
Does OpenLDAP server in any version, allows me to rewrite/remap/merge results from:
- Active Directory - internal LDAP database (or any database)
to make them suitable to nss_ldap?
AD doesn't have all attributes which are needed by nss_ldap, so I thought to keep internal LDAP database with missing information (uidNumber, loginShell, etc) and merge, rewrite, remap or meta this information, and then give that result to the nss_ldap.
I understand that it is possible to merge with slapd-meta different DIT from different databased as a single DIT, but what I need here is to merge attributes from one db, with second db (Active Directory), then rewrite that, and finaly return result to the querying client.
What I mean is, is it possible to rewrite/remap results from AD which look like that:
# (sAMAccountName=kucharskim) dn: CN=kucharskim,CN=Users,DC=euops,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: kucharskim distinguishedName: CN=kucharskim,CN=Users,DC=euops,DC=lan instanceType: 4 whenCreated: 20091117183353.0Z whenChanged: 20091117183353.0Z uSNCreated: 15484 uSNChanged: 15488 name: Mikolaj Kucharski objectGUID:: PLah511UiUKib3pt8HCJ+g== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129041574477164624 lastLogoff: 0 lastLogon: 129046275442578437 pwdLastSet: 129029564332783194 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA1MNb9pJhAvyslWmgfAcAAA== accountExpires: 9223372036854775807 logonCount: 9 sAMAccountName: kucharskim sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=euops,DC=lan memberOf: CN=testgroup,CN=ActiveDirectoryGroups,DC=euops,DC=lan
with pieces missing from another ldap db, to something like that:
# (uid=kucharskim) dn: uid=kucharskim,ou=People,dc=ldapdomain,dc=lan uid: kucharskim cn: Mikolaj Kucharski objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12561 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10207 gidNumber: 10207 homeDirectory: /home/kucharskim gecos: Mikolaj Kucharski
# (memberUid=kucharskim) dn: cn=testgroup,ou=Groups,dc=ldapdomain,dc=lan objectClass: posixGroup objectClass: top cn: testgroup gidNumber: 50201 memberUid: kucharskim memberUid: ldapuser1 memberUid: ldapuser2
I see that this is something overly complicated, but I wanted to know is that possible. If it is, could someone give me which version of OpenLDAP supports it and where I can read how to implement that. Thank you.
Mikolaj Kucharski wrote:
I have Active Directory server, OpenLDAP server and a client machine. AD is based on Windows Server 2003, OpenLDAP is 2.3.43-3.el5 running on CentOS 5 i386, client machine is as well CentOS 5.
You might want to upgrade your OpenLDAP installation since 2.3.x is almost historic now and will not get much help. Yes, we all know that people want to stick to what's shipped with their favourite Linux distribution but...
AD doesn't have all attributes which are needed by nss_ldap, so I thought to keep internal LDAP database with missing information (uidNumber, loginShell, etc) and merge, rewrite, remap or meta this information, and then give that result to the nss_ldap.
You probably want to look into using slapo-translucent.
Ciao, Michael.
Mikolaj Kucharski wrote:
Hi,
I have Active Directory server, OpenLDAP server and a client machine. AD is based on Windows Server 2003, OpenLDAP is 2.3.43-3.el5 running on CentOS 5 i386, client machine is as well CentOS 5.
Does OpenLDAP server in any version, allows me to rewrite/remap/merge results from:
- Active Directory
- internal LDAP database (or any database)
to make them suitable to nss_ldap?
AD doesn't have all attributes which are needed by nss_ldap, so I thought to keep internal LDAP database with missing information (uidNumber, loginShell, etc) and merge, rewrite, remap or meta this information, and then give that result to the nss_ldap.
Yes, use slapo-translucent(5).
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Mikolaj Kucharski