[SOLVED] ldap and active directory implementation via proxy, unable to chase referrals
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ldap and active directory implementation via proxy, unable to chase referrals
Hello,
I'm attempting to set up an openldap server to pass lookups to an active directory server if not found on the localhost. I've followed several tutorials online, and I can't seem to make this work. I feel like I am close, however.
Code:
# Import our schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
moduleload back_ldap
moduleload back_bdb.la
moduleload rwm
# Support both LDAPv2 and LDAPv3
allow bind_v2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
# Our slapd-ldap back end to connect to AD
database ldap
suffix ou=Ad_users,dc=myaddomain,dc=com
subordinate
rebind-as-user yes
uri ldap://myadserverip:389
chase-referrals yes
readonly yes
protocol-version 3
ioverlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses
binddn cn=myaduseraccount
bindpw myadpassword
# Everything above ^ seems to be working.
# Our primary back end
database bdb
#uri ldap://localhost
suffix dc=mylocalsite,dc=com
rootdn cn=admin,dc=mylocalsite,dc=com
rootpw SuperSecretPW
directory /var/lib/ldap
# Indexes for this back end
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub
What happens is that it will complain about the subordinate, with the following error:
Code:
Aug 25 15:48:55 nslogin slapd[13242]: glue: no superior found for sub ou=Ad-Users,dc=myaddomain,dc=com!
Aug 25 15:48:55 myserver slapd[13242]: subordinate config error
Aug 25 15:48:55 myserver slapd[13242]: slapd stopped.
Aug 25 15:48:55 myserver slapd[13242]: connections_destroy: nothing to destroy.
It looks to me like the subordinate clause must be wrong, preventing it from chasing referrals to the AD server. But I can't seem to find any other method to use subordinate other than how I've done it.
Aug 25 15:48:55 nslogin slapd[13242]: glue: no superior found for sub ou=Ad-Users,dc=myaddomain,dc=com!
A good place to start might be to remove the unit "Ad_users" and replace it with something like "adusers" since the underscore turns into a hyphen between examples.
A good place to start might be to remove the unit "Ad_users" and replace it with something like "adusers" since the underscore turns into a hyphen between examples.
I'm sorry, that was a typo. It was ad-users in both places.
One more thing to research - my experience a couple of years ago with the LDAP-like interface of ActiveDirectory is that it is Microsoft specific and not completely compatible to the open LDAP standard. Good luck.
One more thing to research - my experience a couple of years ago with the LDAP-like interface of ActiveDirectory is that it is Microsoft specific and not completely compatible to the open LDAP standard. Good luck.
Thanks. I tend to agree, these technologies don't seem to want to work together and anything beyond that would be forcing them to work when they would rather not. I did get it going, though I am not sure what exactly made it start working.
Will your setup query your backend AD if the account is not in the local OpenLDAP database? I am trying to configure this solution, but having issues myself.
Will your setup query your backend AD if the account is not in the local OpenLDAP database? I am trying to configure this solution, but having issues myself.
Yes, it does do that. I started with the following as a guide:
But I still had to fiddle with it a bit beyond that to get it to work. It was frustrating but I kept tweaking and hacking until I got it to work. But that article I posted above was the most helpful of all that I've been able to find.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
