Le 21/08/2017 à 16:51, Palacios, Christian a écrit :

Hi there,

We need to find out if OpenLDAP will allow us to use it as a proxy so it can retrieve users from three different Windows Active Directory Domains? These three domains do not have any similar users. The user retrieval process needs to work like this:

-The application that needs this LDAP connection will point to the OpenLDAP server using an LDAP address such as ldap://server.example.com:389/OU=users…etc

-This application will also need to retrieve the sAMAccountName from each user retrieved via the OpenLDAP server

-The application’s LDAP connection settings also need to specify an Administrator’s DN and password, but I’m confused about this because I don’t know what Administrator account to use. Like I said, each domain has their own set of users so they don’t have any Administrator accounts in common. How would this work?

If you need any more information, please let me know!!

Hello Christian,

I am implementing such service for a customer right now.

You need to use OpenLDAP back-meta and define a uri parameter for each AD. In this uri parameter, you will be able to set which account is used to request AD.

Here is a very simple configuration sample:

---- database meta suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw secret

uri ldap://ad1.example.com/dc=ad1,dc=example,dc=com suffixmassage dc=ad1,dc=example,dc=com dc=acme,dc=com idassert-bind bindmethod="simple" binddn="cn=demo,cn=Users,dc=acme,dc=com" credentials="secret" mode="self" flags="non-prescriptive"

overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute * * ----

You can also find some hints on back-meta configuration on this page: https://ltb-project.org/documentation/general/sasl_delegation or with OpenLDAP manpage : man slapd-meta

Another solution is to create a central LDAP Directory by synchronizing data from all AD into it. The LSC project can help you to do that: https://lsc-project.org/documentation/start

Hope it helps,