On 14 December 2011 17:44, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Wednesday, December 14, 2011 3:40 PM -0500 Juan Miscaro jmiscaro@gmail.com wrote:
I would like to use the slapd-ldap backend as a proxy to Active Directory (Windows Server 2008 R2).
Firstly, AD can be queried directly:
Does your local OpenLDAP have a schema file that defines the AD attributes you are using?
No. I read that since OpenLDAP 2.3 this was not necessary (I'm running 2.4.25 on Ubuntu 11.10). I got my project from a tutorial [1] where this all worked.
[1]: http://is.gd/dqM1Ts (see section "Using OpenLDAP 2.3 to Pass Unknown Schema" on page 2)
Juan Miscaro wrote:
On 14 December 2011 17:44, Quanah Gibson-Mountquanah@zimbra.com wrote:
--On Wednesday, December 14, 2011 3:40 PM -0500 Juan Miscaro jmiscaro@gmail.com wrote:
I would like to use the slapd-ldap backend as a proxy to Active Directory (Windows Server 2008 R2).
Firstly, AD can be queried directly:
Does your local OpenLDAP have a schema file that defines the AD attributes you are using?
No. I read that since OpenLDAP 2.3 this was not necessary (I'm running 2.4.25 on Ubuntu 11.10). I got my project from a tutorial [1] where this all worked.
[1]: http://is.gd/dqM1Ts (see section "Using OpenLDAP 2.3 to Pass Unknown Schema" on page 2)
The passthru of unknown schema is just a hack. It will allow you to see some data but without actual schema definitions it can't do proper normalization, case matching, filter parsing, etc... Everything works better with actual schema defined.
On 14 December 2011 22:30, Howard Chu hyc@symas.com wrote:
The passthru of unknown schema is just a hack. It will allow you to see some data but without actual schema definitions it can't do proper normalization, case matching, filter parsing, etc... Everything works better with actual schema defined.
Gah!
So do I need to get the actual schema from AD and try to import it or is there something more easily available? It doesn't seem like I'm doing something exotic here. Others must have confronted such a situation. Right? :)
On 15/12/2011 14:57, Juan Miscaro wrote:
So do I need to get the actual schema from AD and try to import it or is there something more easily available? It doesn't seem like I'm doing something exotic here. Others must have confronted such a situation. Right? :)
You'd think so. I've hit the same problem recently.
You can't import the MS AD schema directly, it uses syntaxes that OpenLDAP doesn't understand. The OpenLDAP documentation suggests that adding new syntaxes requires changes to the source code, so it's not trivial to solve.
I found a workaround which may be useful to you. OpenLDAP won't return attributes for an unknown schema initially, but if you do a single search for an attribute it does understand, subsequent searches can be made on the ones for which there's no schema.
On my OpenLDAP AD proxy, as soon as slapd has started I do a trivial search for a 'cn' attribute for a known record. After that, it's possible to search on sAMAccountName or other attributes without any problems.
On 12/16/2011 03:35 PM, Liam Gretton wrote:
On 15/12/2011 14:57, Juan Miscaro wrote:
So do I need to get the actual schema from AD and try to import it or is there something more easily available? It doesn't seem like I'm doing something exotic here. Others must have confronted such a situation. Right? :)
You'd think so. I've hit the same problem recently.
You can't import the MS AD schema directly, it uses syntaxes that OpenLDAP doesn't understand. The OpenLDAP documentation suggests that adding new syntaxes requires changes to the source code, so it's not trivial to solve.
I found a workaround which may be useful to you. OpenLDAP won't return attributes for an unknown schema initially, but if you do a single search for an attribute it does understand, subsequent searches can be made on the ones for which there's no schema.
On my OpenLDAP AD proxy, as soon as slapd has started I do a trivial search for a 'cn' attribute for a known record. After that, it's possible to search on sAMAccountName or other attributes without any problems.
You don't need 99% of what you said. All you need is:
- find out what operations your clients need to do (i.e. what attributes, e.g. sAMAccountName, in what filter types, e.g. equality, presence, etc. will be used by your clients)
- define those attributes with appropriate matching rules in slapd's schema; this requires nothing but a few lines like
attributeType ( <oid> NAME <name> SYNTAX <syntax> [ EQUALITY <equalityrule> ] )
You don't need to create all the schema, only the portions that are needed. If an attribute uses a syntax that OpenLDAP's slapd does not support (yet), you can use the closest one. Usually, anything that needs not be case insensitive can be octet string, which has an equality rule.
If you think there are (standard track) syntaxes that AD supports and OpenLDAP misses, feel free to file a request for enhancement using the ITS (http://www.openldap.org/its/). Adding that type of support can be pretty trivial, as syntaxes may require minimal code that can be placed in a module and loaded run-time.
p.
On 16 December 2011 10:14, Pierangelo Masarati masarati@aero.polimi.it wrote:
- find out what operations your clients need to do (i.e. what attributes,
e.g. sAMAccountName, in what filter types, e.g. equality, presence, etc. will be used by your clients)
- define those attributes with appropriate matching rules in slapd's schema;
this requires nothing but a few lines like
attributeType ( <oid> NAME <name> SYNTAX <syntax> [ EQUALITY <equalityrule> ] )
You don't need to create all the schema, only the portions that are needed.
Which schema are you referring to when you say 'slapd's schema'? I have the following ones, but I imagine a separate one would be needed:
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
On 16/12/2011 15:14, Pierangelo Masarati wrote:
On 12/16/2011 03:35 PM, Liam Gretton wrote:
On my OpenLDAP AD proxy, as soon as slapd has started I do a trivial search for a 'cn' attribute for a known record. After that, it's possible to search on sAMAccountName or other attributes without any problems.
You don't need 99% of what you said. All you need is:
[...]
You don't need to create all the schema, only the portions that are needed. If an attribute uses a syntax that OpenLDAP's slapd does not support (yet), you can use the closest one. Usually, anything that needs not be case insensitive can be octet string, which has an equality rule.
I started that, but it quickly looked like a significant amount of work for a number of attributes, so the quick and dirty solution was the workaround I mentioned. I've put aside creating a custom AD schema for a rainy day.
If you think there are (standard track) syntaxes that AD supports and OpenLDAP misses, feel free to file a request for enhancement using the ITS (http://www.openldap.org/its/).
It certainly would be useful. What does 'standard track' mean? I have a suspicion anything created by MS would automatically be excluded ;-)
On Wed, 4 Jan 2012, Liam Gretton wrote:
If you think there are (standard track) syntaxes that AD supports and OpenLDAP misses, feel free to file a request for enhancement using the ITS (http://www.openldap.org/its/).
It certainly would be useful. What does 'standard track' mean? I have a suspicion anything created by MS would automatically be excluded ;-)
Typically it refers to something that's intended to be published as a Standard through the IETF, although I'd like to think that OpenLDAP would be receptive to similar proceedings from other competent organizations.
Try as a starting point: http://www.ietf.org/about/standards-process.html
openldap-technical@openldap.org
-
Aaron Richton -
Howard Chu -
Juan Miscaro -
Liam Gretton -
Pierangelo Masarati