I know this list gets a large number of questions about Active Directory integration and this one is no different. I've tried to do as much research as possible on my own but still have a few un-answered questions and issues, so i'm adding yet another AD question to the list. Sorry in advance.
My initial foray into OpenLDAP was to use it to store the idmaps created by Samba, so that mapped user and group IDs were identical between file servers. As I thought about it more, I realized we could use LDAP to centralize our Linux users, groups, and access to other LDAP-enabled applications. The point of all this is, that I don't need to proxy Active Directory (and its schema) in its entirety, I really just want to use it as a central repository for user info and authentication.
So, I guess, my first question is: Is this a viable use case? All signs seem to point to yes, but I just want to make sure.
I currently have a proxy database configured that is successfully proxying/querying our AD infrastructure. From what I've read, OpenLDAP 2.3 and newer have the ability to proxy unknown schemas, but will be not be able to do any advanced filtering because the schema is unknown. My question is, given a full export of the AD schema from CN=Schema,CN=Configuration,DC=corp,DC=whatever,DC=com via LDIFDE, is there a way to leverage this to re-create parts of the AD schema so that OpenLDAP can perform native filtering? I'm primarily only interested in the user objects (ObjectClass=user).
I know that all of this might be easier if I was to use ADAM/ADLDS and/or scrape the Samba4 schema, but i'd like to do it myself just for the education it provides and because I'm trying to implement just the bare minimum to our users. I've also seen the AD/Outlook Global Address List entry in the FAQ, but that involves editing the OpenLDAP provided .schema files. If possible, i'd like to keep all of these AD related schemas within their own files and keep the OpenLDAP provided ones untouched.
Thanks for the help,
-Dave
I would be interested in this.
Where you able to get it to convert anonymous searches on openldap to non anon searches into ad
So I wanted to be able to search email addresses from ad from openldap . I created a read only userid for ad. But I could never work out how to configure openldap to use the given user/password when there was a anon request.
Alex
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Mailing Lists Sent: Thursday, 22 November 2012 7:50 AM To: openldap-technical@openldap.org Subject: OpenLDAP Proxy to AD of User Objects with full/correct schema
I know this list gets a large number of questions about Active Directory integration and this one is no different. I've tried to do as much research as possible on my own but still have a few un-answered questions and issues, so i'm adding yet another AD question to the list. Sorry in advance.
My initial foray into OpenLDAP was to use it to store the idmaps created by Samba, so that mapped user and group IDs were identical between file servers. As I thought about it more, I realized we could use LDAP to centralize our Linux users, groups, and access to other LDAP-enabled applications. The point of all this is, that I don't need to proxy Active Directory (and its schema) in its entirety, I really just want to use it as a central repository for user info and authentication.
So, I guess, my first question is: Is this a viable use case? All signs seem to point to yes, but I just want to make sure.
I currently have a proxy database configured that is successfully proxying/querying our AD infrastructure. From what I've read, OpenLDAP 2.3 and newer have the ability to proxy unknown schemas, but will be not be able to do any advanced filtering because the schema is unknown. My question is, given a full export of the AD schema from CN=Schema,CN=Configuration,DC=corp,DC=whatever,DC=com via LDIFDE, is there a way to leverage this to re-create parts of the AD schema so that OpenLDAP can perform native filtering? I'm primarily only interested in the user objects (ObjectClass=user).
I know that all of this might be easier if I was to use ADAM/ADLDS and/or scrape the Samba4 schema, but i'd like to do it myself just for the education it provides and because I'm trying to implement just the bare minimum to our users. I've also seen the AD/Outlook Global Address List entry in the FAQ, but that involves editing the OpenLDAP provided .schema files. If possible, i'd like to keep all of these AD related schemas within their own files and keep the OpenLDAP provided ones untouched.
Thanks for the help,
-Dave
I would be interested in this.
Where you able to get it to convert anonymous searches on openldap to non anon searches into ad
So I wanted to be able to search email addresses from ad from openldap . I created a read only userid for ad. But I could never work out how to configure openldap to use the given user/password when there was a anon request.
within the "ldap" database specification:
idassert-bind bindmethod=simple binddn="cn=substitute-identity" credentials="password" mode=none idassert-authzFrom dn.exact:""
p.
Pretty sure I tried that Go back and give it another test.
How does it different between anon and non anon binds to openldap
So if its an anon to openldap -> I want to bind with the supplied credentials non anon to openldap -> I want to bind with the supplied credential that are supplied to openldap from the client
Does that make sense ?
Thanks Alex
-----Original Message----- From: Pierangelo Masarati [mailto:masarati@aero.polimi.it] Sent: Friday, 23 November 2012 8:30 AM To: Alex Samad - Yieldbroker Cc: Mailing Lists; openldap-technical@openldap.org Subject: RE: OpenLDAP Proxy to AD of User Objects with full/correct schema
I would be interested in this.
Where you able to get it to convert anonymous searches on openldap to non anon searches into ad
So I wanted to be able to search email addresses from ad from openldap . I created a read only userid for ad. But I could never work out how to configure openldap to use the given user/password when there was a anon request.
within the "ldap" database specification:
idassert-bind bindmethod=simple binddn="cn=substitute-identity" credentials="password" mode=none idassert-authzFrom dn.exact:""
p.
-- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
On 11/22/2012 11:33 PM, Alex Samad - Yieldbroker wrote:
please do not top post.
Pretty sure I tried that Go back and give it another test.
How does it different between anon and non anon binds to openldap
So if its an anon to openldap -> I want to bind with the supplied credentials non anon to openldap -> I want to bind with the supplied credential that are supplied to openldap from the client
Does that make sense ?
Thanks Alex
-----Original Message----- From: Pierangelo Masarati [mailto:masarati@aero.polimi.it] Sent: Friday, 23 November 2012 8:30 AM To: Alex Samad - Yieldbroker Cc: Mailing Lists; openldap-technical@openldap.org Subject: RE: OpenLDAP Proxy to AD of User Objects with full/correct schema
I would be interested in this.
Where you able to get it to convert anonymous searches on openldap to non anon searches into ad
So I wanted to be able to search email addresses from ad from openldap . I created a read only userid for ad. But I could never work out how to configure openldap to use the given user/password when there was a anon request.
within the "ldap" database specification:
idassert-bind bindmethod=simple binddn="cn=substitute-identity" credentials="password" mode=none idassert-authzFrom dn.exact:""
idassert-bind bindmethod=simple binddn="cn=substitute-identity" credentials="password" mode=none flags=non-prescriptive idassert-authzFrom dn.exact:""
Please note this has always been documented in slapd-ldap(5) since the introduction of the idassert-bind feature. Please read the manual for further help.
p.
-- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
On Wed, Nov 21, 2012 at 03:50:03PM -0500, Mailing Lists wrote:
As I thought about it more, I realized we could use LDAP to centralize our Linux users, groups, and access to other LDAP-enabled applications. The point of all this is, that I don't need to proxy Active Directory (and its schema) in its entirety, I really just want to use it as a central repository for user info and authentication.
So, I guess, my first question is: Is this a viable use case? All signs seem to point to yes, but I just want to make sure.
In principle, yes you can do this. In practice of course it depends on the details... If you want AD to store all the attributes needed by SAMBA and Linux clients, are you prepared to add them to the AD schema? Will they conflict with something that is already there? Remember that although AD provides an LDAP interface, it is not entirely compliant with LDAP standards - particularly with respect to schema.
I currently have a proxy database configured that is successfully proxying/ querying our AD infrastructure. From what I've read, OpenLDAP 2.3 and newer have the ability to proxy unknown schemas, but will be not be able to do any advanced filtering because the schema is unknown. My question is, given a full export of the AD schema from CN=Schema,CN=Configuration,DC=corp,DC=whatever,DC= com via LDIFDE, is there a way to leverage this to re-create parts of the AD schema so that OpenLDAP can perform native filtering? I'm primarily only interested in the user objects (ObjectClass=user).
You may need to do a bit of editing and reformatting on the schema entries but in principle yes you can add AD-like schema to OpenLDAP. You will have to watch out for schema that is incompatible with the built-in standard schema, but you can probably get close enough to do something useful.
users. I've also seen the AD/Outlook Global Address List entry in the FAQ, but that involves editing the OpenLDAP provided .schema files. If possible, i'd like to keep all of these AD related schemas within their own files and keep the OpenLDAP provided ones untouched.
Makes sense.
Andrew
openldap-technical@openldap.org
-
Alex Samad - Yieldbroker -
Andrew Findlay -
Mailing Lists -
Pierangelo Masarati