Hello.
I use OpenLDAP as proxy for M$ AD. The problem is: I can set filter only by some fileds like CN or Name. I can't query AD by sAMAccountName via proxy Also I can't see many AD-specific fileds while browsing AD via OpenLDAP proxy.
Request to proxy:
ldapsearch -M -LLL -H ldap://localhost:389 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' sAMAccountName
Return nothing.
Request directly to AD LDAP:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' cn
Returns:
dn: CN=Bogdan Rudas.......skipped.... cn: Bogdan Rudas
Yet another request to proxy:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn sAMAccountName
dn: cn=Bogdan Rudas.......skip..... cn: Bogdan Rudas SAMACCOUNTNAME: bogdan.rudas
Slapd version 2.4.11-1 Running on Debian 5.0 amd64
OpenLDAP config:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap moduleload back_ldap
access to dn.base="" by * read access to * by self read by users read by anonymous auth
loglevel 256
###################################################### # database definitions ######################################################
database ldap suffix "dc=intra,dc=nival,dc=com" uri "ldap://ADserver.domain.company.com:1234" acl-bind bindmethod=simple binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" credentials=password chase-referrals yes
Bogdan B. Rudas wrote:
Hello.
I use OpenLDAP as proxy for M$ AD. The problem is: I can set filter only by some fileds like CN or Name. I can't query AD by sAMAccountName via proxy Also I can't see many AD-specific fileds while browsing AD via OpenLDAP proxy.
Request to proxy:
ldapsearch -M -LLL -H ldap://localhost:389 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' sAMAccountName
Return nothing.
Request directly to AD LDAP:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' cn
Returns:
dn: CN=Bogdan Rudas.......skipped.... cn: Bogdan Rudas
Yet another request to proxy:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn sAMAccountName
dn: cn=Bogdan Rudas.......skip..... cn: Bogdan Rudas SAMACCOUNTNAME: bogdan.rudas
Slapd version 2.4.11-1 Running on Debian 5.0 amd64
OpenLDAP config:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap moduleload back_ldap
access to dn.base="" by * read access to * by self read by users read by anonymous auth
loglevel 256
###################################################### # database definitions ######################################################
database ldap suffix "dc=intra,dc=nival,dc=com" uri "ldap://ADserver.domain.company.com:1234" acl-bind bindmethod=simple binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" credentials=password chase-referrals yes
Your proxy knows nothing about those schema items, that's why they are ignored by slapd. You need to extract that information from AD, format it according to slapd's syntax for "attributeType" and "objectClass" keyworks in slapd.conf(5) and pre-load them muck like you do with other schema items (the "include <file>.schema" lines above).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
On Wed, 25 Mar 2009 16:49:20 +0100 Pierangelo Masarati ando@sys-net.it wrote:
Bogdan B. Rudas wrote:
Hello.
I use OpenLDAP as proxy for M$ AD. The problem is: I can set filter only by some fileds like CN or Name. I can't query AD by sAMAccountName via proxy Also I can't see many AD-specific fileds while browsing AD via OpenLDAP proxy.
Request to proxy:
ldapsearch -M -LLL -H ldap://localhost:389 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' sAMAccountName
Return nothing.
Request directly to AD LDAP:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' cn
Returns:
dn: CN=Bogdan Rudas.......skipped.... cn: Bogdan Rudas
Yet another request to proxy:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn sAMAccountName
dn: cn=Bogdan Rudas.......skip..... cn: Bogdan Rudas SAMACCOUNTNAME: bogdan.rudas
Slapd version 2.4.11-1 Running on Debian 5.0 amd64
OpenLDAP config:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap moduleload back_ldap
access to dn.base="" by * read access to * by self read by users read by anonymous auth
loglevel 256
###################################################### # database definitions ######################################################
database ldap suffix "dc=intra,dc=nival,dc=com" uri "ldap://ADserver.domain.company.com:1234" acl-bind bindmethod=simple binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" credentials=password chase-referrals yes
Your proxy knows nothing about those schema items, that's why they are ignored by slapd. You need to extract that information from AD, format it according to slapd's syntax for "attributeType" and "objectClass" keyworks in slapd.conf(5) and pre-load them muck like you do with other schema items (the "include <file>.schema" lines above).
p.
Hello! Thank you for your response.
I made custom schema with - I get values with Apache Directory Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches using this filed.
There so much objectclasses in AD, how can I determine which of them I really need? I used slapd -d 1 and -d 512 - both was like a woodoo magick for me because I don't know for what should I look.
Bogdan B. Rudas wrote:
I made custom schema with - I get values with Apache Directory Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches using this filed.
That's because the above attributetype does not have an EQUALITY rule. You need to guess one, since AD appears to produce inconsistent schema description. Depending whether it is supposed to be case-sensitive or not, caseExactMatch or caseIgnoreMatch should do the trick.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote:
Bogdan B. Rudas wrote:
I made custom schema with - I get values with Apache Directory Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches using this filed.
That's because the above attributetype does not have an EQUALITY rule. You need to guess one, since AD appears to produce inconsistent schema description. Depending whether it is supposed to be case-sensitive or not, caseExactMatch or caseIgnoreMatch should do the trick.
caseIgnoreMatch is appropriate for 'sAMAccountName' I think.
Ciao, Michael.
On Wed, 25 Mar 2009 18:57:21 +0100 Michael Ströder michael@stroeder.com wrote:
Pierangelo Masarati wrote:
Bogdan B. Rudas wrote:
I made custom schema with - I get values with Apache Directory Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches using this filed.
That's because the above attributetype does not have an EQUALITY rule. You need to guess one, since AD appears to produce inconsistent schema description. Depending whether it is supposed to be case-sensitive or not, caseExactMatch or caseIgnoreMatch should do the trick.
caseIgnoreMatch is appropriate for 'sAMAccountName' I think.
Ciao, Michael.
Thank you!
This solved my problem:
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
openldap-technical@openldap.org
-
Bogdan B. Rudas -
Michael Ströder -
Pierangelo Masarati