Discussion:
Q: Requesting parent OU doesn't seem to work right with Meta-Backend OU as child
Zalewski, Marvyn-Stephano
2015-10-22 11:11:54 UTC
Permalink
Hey guys,

I got a huge problem here. I’ve been trying to merge users from a local LDAP (ou=local-users,ou=accounts,dc=domain: which authenticates against a remote active directory (which is not ldap://remote.site) with sasl) with local users who use a local stored password and with users from a remote active directory without storing them locally.
Let’s say i have the following structure:

Local-LDAP (ldap://localhost):

* dc=domain
* ou=accounts
* ou=local-users (with sasl)
* ou=remote-users (Meta-Backend Proxy to ldap://remote.site – ou=accounts,dc=remote-domain)
* ou=users (without sasl; password is stored locally)

Remote-AD (ldap://remote.site):

* dc=remote-domain
* ou=accounts
* <All Users are stored in this OU>

The local LDAP structure works as expected. When i request ou=accounts,dc=domain i get all users located in ou=local-users and ou=users.
And now i point out the problem:
I only get the object ou=remote-users without the users from ou=accounts,dc=remote-domain so the ou=remote-users seems to be empty. But when i explicit request the full DN of ou=remote-users (ou=remote-user,ou=accounts,dc=domain) i get the full list of all users located in ou=accounts,dc=remote-domain.

Here’s my slapd.conf:
#######################################################################
# Global Directives:
#######################################################################
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
logfile /etc/ldap/slapd.log
loglevel 1

sasl-host localhost
sasl-secprops none

#######################################################################
# Dynamic Module Directives
#######################################################################
# Base Path and individual modules.
modulepath /usr/lib/ldap
moduleload back_hdb.so
moduleload refint.so
moduleload memberof.so
moduleload back_meta.so
moduleload rwm.so

# Defining referral integrity module to make sure the group relations are automatically updated. NOTE: Only when a 'delete' or 'edit' command has been issued.
overlay refint
refint_attributes member uniqueMember seeAlso
refint_nothing cn=EMPTY

# Defining memberof module which make sure to update the group affiliation for each user. NOTE: Added an own attribute to all users named: 'memberOf' which contains all groups.
overlay memberof

#######################################################################
# Database Directives:
#######################################################################
database meta
suffix "ou=remote-users,ou=accounts,dc=domain"
readonly off
lastmod off

uri "ldap://remote.site/ou=remote-users,ou=accounts,dc=domain"
suffixmassage "ou=remote-users,ou=accounts,dc=domain“ „ou=accounts,dc=remote-domain"
idassert-bind bindmethod=simple
binddn=„cn=root,dc=remote-domain"
credentials=„root"
mode=none
flags=non-prescriptive
idassert-authzFrom „dn.exact:cn=root,dc=remote-domain"

database hdb
directory /var/lib/ldap
suffix „dc=domain"
rootdn "cn=root,dc=domain"
rootpw root
index objectclass eq
index uid eq,sub
lastmod off
readonly off


My Search Results at parent OU:

#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b "ou=accounts,dc=domain“ dn

# extended LDIF
#
# LDAPv3
# base <ou=accounts,dc=domain> with scope subtree
# filter: (objectclass=*)
# requesting: dn
# with manageDSAit control
#

# accounts, domain
dn: ou=accounts,dc=domain


# local-users, accounts, domain
dn: ou=local-users,ou=accounts,dc=domain

# frank, local-users, accounts, domain
dn: cn=frank,ou=local-users,ou=accounts,dc=domain


# remote-users, accounts, domain
dn: ou=remote-users,ou=accounts,dc=domain


# users, accounts, domain
dn: ou=users,ou=accounts,dc=domain

# peter, users, accounts, domain
dn: cn=peter,ou=users,ou=accounts,dc=domain


My Search Results at child and proxied OU:

#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b „ou=remote-accounts,ou=accounts,dc=domain“ dn

# extended LDIF
#
# LDAPv3
# base <ou=remote-users,ou=accounts,dc=domain> with scope subtree
# filter: (objectclass=*)
# requesting: dn
# with manageDSAit control
#

# remote-users, accounts, domain
dn: ou=remote-users,ou=accounts,dc=domain

dn: cn=albert,ou=remote-users,ou=accounts,dc=domain



I hope you guys can help me out.
If you have further question, please leave a mail.

Kind regards,
Marvyn :)

Loading...