5:28 a.m.
Hello.
I use OpenLDAP as proxy for M$ AD.
The problem is: I can set filter only by some fileds like CN or Name.
I can't query AD by sAMAccountName via proxy
Also I can't see many AD-specific fileds while browsing AD via OpenLDAP
proxy.
Request to proxy:
ldapsearch -M -LLL -H ldap://localhost:389 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com"
'(sAMAccountName=bogdan.rudas)' sAMAccountName
Return nothing.
Request directly to AD LDAP:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com"
'(sAMAccountName=bogdan.rudas)' cn
Returns:
dn: CN=Bogdan Rudas.......skipped....
cn: Bogdan Rudas
Yet another request to proxy:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn
sAMAccountName
dn: cn=Bogdan Rudas.......skip.....
cn: Bogdan Rudas
SAMACCOUNTNAME: bogdan.rudas
Slapd version 2.4.11-1
Running on Debian 5.0 amd64
OpenLDAP config:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_ldap
access to dn.base="" by * read
access to *
by self read
by users read
by anonymous auth
loglevel 256
######################################################
# database definitions
######################################################
database ldap
suffix "dc=intra,dc=nival,dc=com"
uri "ldap://ADserver.domain.company.com:1234"
acl-bind bindmethod=simple
binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com"
credentials=password
chase-referrals yes
8:49 a.m.
Bogdan B. Rudas wrote:
Hello.
I use OpenLDAP as proxy for M$ AD.
The problem is: I can set filter only by some fileds like CN or Name.
I can't query AD by sAMAccountName via proxy
Also I can't see many AD-specific fileds while browsing AD via OpenLDAP
proxy.
Request to proxy:
ldapsearch -M -LLL -H ldap://localhost:389 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com"
'(sAMAccountName=bogdan.rudas)' sAMAccountName
Return nothing.
Request directly to AD LDAP:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com"
'(sAMAccountName=bogdan.rudas)' cn
Returns:
dn: CN=Bogdan Rudas.......skipped....
cn: Bogdan Rudas
Yet another request to proxy:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn
sAMAccountName
dn: cn=Bogdan Rudas.......skip.....
cn: Bogdan Rudas
SAMACCOUNTNAME: bogdan.rudas
Slapd version 2.4.11-1
Running on Debian 5.0 amd64
OpenLDAP config:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_ldap
access to dn.base="" by * read
access to *
by self read
by users read
by anonymous auth
loglevel 256
######################################################
# database definitions
######################################################
database ldap
suffix "dc=intra,dc=nival,dc=com"
uri "ldap://ADserver.domain.company.com:1234"
acl-bind bindmethod=simple
binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com"
credentials=password
chase-referrals yes
Your proxy knows nothing about those schema items, that's why they are
ignored by slapd. You need to extract that information from AD, format
it according to slapd's syntax for "attributeType" and
"objectClass"
keyworks in slapd.conf(5) and pre-load them muck like you do with other
schema items (the "include <file>.schema" lines above).
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
9:14 a.m.
On Wed, 25 Mar 2009 16:49:20 +0100
Pierangelo Masarati <ando(a)sys-net.it> wrote:
Bogdan B. Rudas wrote:
> Hello.
>
> I use OpenLDAP as proxy for M$ AD.
> The problem is: I can set filter only by some fileds like CN or
> Name. I can't query AD by sAMAccountName via proxy
> Also I can't see many AD-specific fileds while browsing AD via
> OpenLDAP proxy.
>
>
> Request to proxy:
>
> ldapsearch -M -LLL -H ldap://localhost:389 -x -D
> "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
> password -x -b "dc=domain,dc=company,dc=com"
> '(sAMAccountName=bogdan.rudas)' sAMAccountName
>
> Return nothing.
>
> Request directly to AD LDAP:
>
> ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
> "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
> password -x -b "dc=domain,dc=company,dc=com"
> '(sAMAccountName=bogdan.rudas)' cn
>
> Returns:
>
> dn: CN=Bogdan Rudas.......skipped....
> cn: Bogdan Rudas
>
>
> Yet another request to proxy:
>
> ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
> "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
> password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan
Rudas)'
> cn sAMAccountName
>
> dn: cn=Bogdan Rudas.......skip.....
> cn: Bogdan Rudas
> SAMACCOUNTNAME: bogdan.rudas
>
> Slapd version 2.4.11-1
> Running on Debian 5.0 amd64
>
> OpenLDAP config:
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/inetorgperson.schema
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> modulepath /usr/lib/ldap
> moduleload back_ldap
>
>
> access to dn.base="" by * read
> access to *
> by self read
> by users read
> by anonymous auth
>
> loglevel 256
>
> ######################################################
> # database definitions
> ######################################################
>
> database ldap
> suffix "dc=intra,dc=nival,dc=com"
> uri "ldap://ADserver.domain.company.com:1234"
> acl-bind bindmethod=simple
> binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com"
> credentials=password
> chase-referrals yes
Your proxy knows nothing about those schema items, that's why they
are ignored by slapd. You need to extract that information from AD,
format it according to slapd's syntax for "attributeType" and
"objectClass" keyworks in slapd.conf(5) and pre-load them muck like
you do with other schema items (the "include <file>.schema" lines
above).
p.
Hello!
Thank you for your response.
I made custom schema with - I get values with Apache Directory Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches
using this filed.
There so much objectclasses in AD, how can I determine which of them I
really need? I used slapd -d 1 and -d 512 - both was like a woodoo
magick for me because I don't know for what should I look.
9:28 a.m.
Bogdan B. Rudas wrote:
I made custom schema with - I get values with Apache Directory
Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches
using this filed.
That's because the above attributetype does not have an EQUALITY rule.
You need to guess one, since AD appears to produce inconsistent schema
description. Depending whether it is supposed to be case-sensitive or
not, caseExactMatch or caseIgnoreMatch should do the trick.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
10:57 a.m.
Pierangelo Masarati wrote:
Bogdan B. Rudas wrote:
> I made custom schema with - I get values with Apache Directory Studio
>
> attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX
> '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
>
> Now I can see this field in LDAP browser, but still can't do searches
> using this filed.
That's because the above attributetype does not have an EQUALITY rule.
You need to guess one, since AD appears to produce inconsistent schema
description. Depending whether it is supposed to be case-sensitive or
not, caseExactMatch or caseIgnoreMatch should do the trick.
caseIgnoreMatch is appropriate for 'sAMAccountName' I think.
Ciao, Michael.
1:55 a.m.
On Wed, 25 Mar 2009 18:57:21 +0100
Michael Ströder <michael(a)stroeder.com> wrote:
Pierangelo Masarati wrote:
> Bogdan B. Rudas wrote:
>
>> I made custom schema with - I get values with Apache Directory
>> Studio
>>
>> attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX
>> '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
>>
>> Now I can see this field in LDAP browser, but still can't do
>> searches using this filed.
>
> That's because the above attributetype does not have an EQUALITY
> rule. You need to guess one, since AD appears to produce
> inconsistent schema description. Depending whether it is supposed
> to be case-sensitive or not, caseExactMatch or caseIgnoreMatch
> should do the trick.
caseIgnoreMatch is appropriate for 'sAMAccountName' I think.
Ciao, Michael.
Thank you!
This solved my problem:
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY
caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
5182
days inactive
5183
days old
openldap-technical@openldap.org
5 comments
3 participants
participants (3)
-
Bogdan B. Rudas -
Michael Ströder -
Pierangelo Masarati