Zalewski, Marvyn-Stephano
2015-10-22 11:11:54 UTC
Hey guys,
I got a huge problem here. Iâve been trying to merge users from a local LDAP (ou=local-users,ou=accounts,dc=domain: which authenticates against a remote active directory (which is not ldap://remote.site) with sasl) with local users who use a local stored password and with users from a remote active directory without storing them locally.
Letâs say i have the following structure:
Local-LDAP (ldap://localhost):
* dc=domain
* ou=accounts
* ou=local-users (with sasl)
* ou=remote-users (Meta-Backend Proxy to ldap://remote.site â ou=accounts,dc=remote-domain)
* ou=users (without sasl; password is stored locally)
Remote-AD (ldap://remote.site):
* dc=remote-domain
* ou=accounts
* <All Users are stored in this OU>
The local LDAP structure works as expected. When i request ou=accounts,dc=domain i get all users located in ou=local-users and ou=users.
And now i point out the problem:
I only get the object ou=remote-users without the users from ou=accounts,dc=remote-domain so the ou=remote-users seems to be empty. But when i explicit request the full DN of ou=remote-users (ou=remote-user,ou=accounts,dc=domain) i get the full list of all users located in ou=accounts,dc=remote-domain.
Hereâs my slapd.conf:
#######################################################################
# Global Directives:
#######################################################################
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
logfile /etc/ldap/slapd.log
loglevel 1
sasl-host localhost
sasl-secprops none
#######################################################################
# Dynamic Module Directives
#######################################################################
# Base Path and individual modules.
modulepath /usr/lib/ldap
moduleload back_hdb.so
moduleload refint.so
moduleload memberof.so
moduleload back_meta.so
moduleload rwm.so
# Defining referral integrity module to make sure the group relations are automatically updated. NOTE: Only when a 'delete' or 'edit' command has been issued.
overlay refint
refint_attributes member uniqueMember seeAlso
refint_nothing cn=EMPTY
# Defining memberof module which make sure to update the group affiliation for each user. NOTE: Added an own attribute to all users named: 'memberOf' which contains all groups.
overlay memberof
#######################################################################
# Database Directives:
#######################################################################
database meta
suffix "ou=remote-users,ou=accounts,dc=domain"
readonly off
lastmod off
uri "ldap://remote.site/ou=remote-users,ou=accounts,dc=domain"
suffixmassage "ou=remote-users,ou=accounts,dc=domainâ âou=accounts,dc=remote-domain"
idassert-bind bindmethod=simple
binddn=âcn=root,dc=remote-domain"
credentials=âroot"
mode=none
flags=non-prescriptive
idassert-authzFrom âdn.exact:cn=root,dc=remote-domain"
database hdb
directory /var/lib/ldap
suffix âdc=domain"
rootdn "cn=root,dc=domain"
rootpw root
index objectclass eq
index uid eq,sub
lastmod off
readonly off
My Search Results at parent OU:
#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b "ou=accounts,dc=domainâ dn
# extended LDIF
#
# LDAPv3
# base <ou=accounts,dc=domain> with scope subtree
# filter: (objectclass=*)
# requesting: dn
# with manageDSAit control
#
# accounts, domain
dn: ou=accounts,dc=domain
# local-users, accounts, domain
dn: ou=local-users,ou=accounts,dc=domain
# frank, local-users, accounts, domain
dn: cn=frank,ou=local-users,ou=accounts,dc=domain
# remote-users, accounts, domain
dn: ou=remote-users,ou=accounts,dc=domain
# users, accounts, domain
dn: ou=users,ou=accounts,dc=domain
# peter, users, accounts, domain
dn: cn=peter,ou=users,ou=accounts,dc=domain
My Search Results at child and proxied OU:
#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b âou=remote-accounts,ou=accounts,dc=domainâ dn
# extended LDIF
#
# LDAPv3
# base <ou=remote-users,ou=accounts,dc=domain> with scope subtree
# filter: (objectclass=*)
# requesting: dn
# with manageDSAit control
#
# remote-users, accounts, domain
dn: ou=remote-users,ou=accounts,dc=domain
dn: cn=albert,ou=remote-users,ou=accounts,dc=domain
I hope you guys can help me out.
If you have further question, please leave a mail.
Kind regards,
Marvyn :)
I got a huge problem here. Iâve been trying to merge users from a local LDAP (ou=local-users,ou=accounts,dc=domain: which authenticates against a remote active directory (which is not ldap://remote.site) with sasl) with local users who use a local stored password and with users from a remote active directory without storing them locally.
Letâs say i have the following structure:
Local-LDAP (ldap://localhost):
* dc=domain
* ou=accounts
* ou=local-users (with sasl)
* ou=remote-users (Meta-Backend Proxy to ldap://remote.site â ou=accounts,dc=remote-domain)
* ou=users (without sasl; password is stored locally)
Remote-AD (ldap://remote.site):
* dc=remote-domain
* ou=accounts
* <All Users are stored in this OU>
The local LDAP structure works as expected. When i request ou=accounts,dc=domain i get all users located in ou=local-users and ou=users.
And now i point out the problem:
I only get the object ou=remote-users without the users from ou=accounts,dc=remote-domain so the ou=remote-users seems to be empty. But when i explicit request the full DN of ou=remote-users (ou=remote-user,ou=accounts,dc=domain) i get the full list of all users located in ou=accounts,dc=remote-domain.
Hereâs my slapd.conf:
#######################################################################
# Global Directives:
#######################################################################
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
logfile /etc/ldap/slapd.log
loglevel 1
sasl-host localhost
sasl-secprops none
#######################################################################
# Dynamic Module Directives
#######################################################################
# Base Path and individual modules.
modulepath /usr/lib/ldap
moduleload back_hdb.so
moduleload refint.so
moduleload memberof.so
moduleload back_meta.so
moduleload rwm.so
# Defining referral integrity module to make sure the group relations are automatically updated. NOTE: Only when a 'delete' or 'edit' command has been issued.
overlay refint
refint_attributes member uniqueMember seeAlso
refint_nothing cn=EMPTY
# Defining memberof module which make sure to update the group affiliation for each user. NOTE: Added an own attribute to all users named: 'memberOf' which contains all groups.
overlay memberof
#######################################################################
# Database Directives:
#######################################################################
database meta
suffix "ou=remote-users,ou=accounts,dc=domain"
readonly off
lastmod off
uri "ldap://remote.site/ou=remote-users,ou=accounts,dc=domain"
suffixmassage "ou=remote-users,ou=accounts,dc=domainâ âou=accounts,dc=remote-domain"
idassert-bind bindmethod=simple
binddn=âcn=root,dc=remote-domain"
credentials=âroot"
mode=none
flags=non-prescriptive
idassert-authzFrom âdn.exact:cn=root,dc=remote-domain"
database hdb
directory /var/lib/ldap
suffix âdc=domain"
rootdn "cn=root,dc=domain"
rootpw root
index objectclass eq
index uid eq,sub
lastmod off
readonly off
My Search Results at parent OU:
#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b "ou=accounts,dc=domainâ dn
# extended LDIF
#
# LDAPv3
# base <ou=accounts,dc=domain> with scope subtree
# filter: (objectclass=*)
# requesting: dn
# with manageDSAit control
#
# accounts, domain
dn: ou=accounts,dc=domain
# local-users, accounts, domain
dn: ou=local-users,ou=accounts,dc=domain
# frank, local-users, accounts, domain
dn: cn=frank,ou=local-users,ou=accounts,dc=domain
# remote-users, accounts, domain
dn: ou=remote-users,ou=accounts,dc=domain
# users, accounts, domain
dn: ou=users,ou=accounts,dc=domain
# peter, users, accounts, domain
dn: cn=peter,ou=users,ou=accounts,dc=domain
My Search Results at child and proxied OU:
#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b âou=remote-accounts,ou=accounts,dc=domainâ dn
# extended LDIF
#
# LDAPv3
# base <ou=remote-users,ou=accounts,dc=domain> with scope subtree
# filter: (objectclass=*)
# requesting: dn
# with manageDSAit control
#
# remote-users, accounts, domain
dn: ou=remote-users,ou=accounts,dc=domain
dn: cn=albert,ou=remote-users,ou=accounts,dc=domain
I hope you guys can help me out.
If you have further question, please leave a mail.
Kind regards,
Marvyn :)