Ldap – OpenLDAP userPrincipalName as BindDN

active-directoryldapopenldap

I've setup OpenLDAP as AD proxy according to:
https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD

Everything's working fine for clients using standard bindDN of full dn: attribute (e.g. cn=jdoe,ou=users,dc=example,dc=com)

Some of the clients are using userPrincipalName as bindDN, which is perfectly ok with AD, but not with the OpenLDAP proxy, which throws an error upon connect:

conn=1002 op=1 do_bind: invalid dn (jdoe@example.com)
send_ldap_result: conn=1002 op=1 p=3
send_ldap_result: err=34 matched="" text="invalid DN"
send_ldap_response: msgid=2 tag=97 err=34
conn=1002 op=1 RESULT tag=97 err=34 text=invalid DN

I tried to rewrite the bindDN of userPrincipalName using rwm-rewriteRule from the rwm overlay. That didn't work, although it works with standard bind dn's (e.g. cn=jdoe,ou=users,dc=example,dc=com)

This doesn't work:

rwm-rewriteRule "(.+,)@example.com$" "cn=$1,ou=users,dc=example,dc=com"  ":"

This works:

rewritin ou=users for ou=employees as a test:

rwm-rewriteRule "(.+,)?ou=users,dc=example,dc=com$" "$1ou=employees,dc=example,dc=com" ":"

Is there a way how to rewrite bindDN of jdoe@example.com to bindDN of cn=jdoe,ou=users,dc=example,dc=com?

Here's my current config:

include                 /etc/openldap/schema/core.schema  
include                 /etc/openldap/schema/cosine.schema  
include                 /etc/openldap/schema/inetorgperson.schema  
include                 /etc/openldap/schema/misc.schema  
include                 /etc/openldap/schema/nis.schema  

modulepath              /usr/lib64/openldap/  
moduleload              back_ldap  
moduleload              rwm  

pidfile                 /var/run/openldap/slapd.pid  
argsfile                /var/run/openldap/slapd.args  

database                ldap  
readonly                yes  
protocol-version        3  
rebind-as-user          yes  
uri                     "ldap://X.X.X.X:389"  
suffix                  "dc=example,dc=com"  
overlay                 rwm  
rwm-rewriteEngine on  
rwm-rewriteRule "(.+,)@example.com$" "cn=$1,ou=users,dc=example,dc=com"  ":"  
logfile                 /var/log/slapd/slapd.log  
loglevel                -1  
TLSCACertificatePath /etc/openldap/certs  
TLSCertificateFile "OpenLDAP Server"  
TLSCertificateKeyFile /etc/openldap/certs/password

Best Answer

It's right that you can rewrite bind-DNs with slapo-rwm but those have to be DNs.

So you could rewrite the short DN uid=user@example.com to uid=user,dc=example,dc=com even by searching the entry with filter (attr=user@example.com).

But the short form to be rewritten must be a valid DN string representation as defined in RFC 4514 and not just a user principal name user@example.com as with MS AD.

See examples in slapo-rwm(5).

Related Solutions

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

Since you are having issues with eDirectory, you are quite lucky, since you can use DSTrace with the LDAP option on to see what is going on, from the eDirectory server view.

Once you know what is being asked, and what the server is responding you can effectively troubleshoot the issue.

Basic eDirectory schema is complaint with LDAP and any standard LDAP schema should work for the most part. To get some specific features you might need some additional support, but that does not sound like your issue.

If you have access to the 10.10.1.27 box, try and look at it via http://10.10.1.27:8008 (or possibly port 8010, or 8028 depending if you are running eDirectory on Netware, Windows or a Unix variant respectively). This should redirect you to an https:// connection one port number higher (8009, 8010, or 8030 (ya 2 not 1)). Look for iMonitor or Dstrace, and then clear all the other flags, and enable the LDAP flag. Then the Dstrace Live icon will refresh on each click with the latest transactions.

Now as to your issue of:

there's almost no hierarchy. (I can set a base DN and view a particular object... but if I set the real base DN... I can only see it... and no children.)

I would suspect this issue is more about not doing the right kind of query. Sounds like you are doing Entry not Subtree queries. This will be very obvious in Dstrace, as you will see a query event that looks something like:

10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Search request:
base: "ou=people,o=acme,dc=com"
scope:2 dereference:3 sizelimit:1 timelimit:0 attrsonly:0
filter: "(&(objectClass=inetorgperson)(acme7DigitName=gxc1234))"
no attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Empty attribute list implies all user attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Sending search result entry "cn=gxc1234,ou=UNK,ou=People,o=acme,dc=com" to connection 0xa07e6c0

There the scope: 2 tells you it is an entry search. You want to see it do a subtree (0) level search in order to get what you are looking for.

You can read more about how I used this sort of tooling to debug the nonsense that SAP's GRC web interface does for LDAP data retrieval.

OpenLDAP – Troubleshooting OpenLDAP Replication Problem

It sounds to me like you're attempting to import a database dump into a running slave, either by means of ldapadd or slapcat. A running slapd instance with a replication mechanism configured in slave mode will reject all write attempts and return the message you provided.

If my slurpd based slapd servers ever became inconsistent I executed a fairly straight forward recovery procedure:

Put the master into read-only mode.
Make a fresh dump from the master and copy it to any inconsistent slaves (or copy from backups).
Completely stop slapd on the slave you want to recover.
Clear the contents of the data directory, /var/lib/ldap (you might want to save your DB_CONFIG file if the parameters aren't defined in slapd.conf)
Use slapadd to rebuild the directory on the slave (move DB_CONFIG back if necessary)
Start the slave normally.
Switch the master back into read-write mode.

yes, I am using slurpd replication method. It was running fine but somehow it broke down and till then its not working

You're probably running OpenLDAP 2.3.43 since that's what's packaged in CentOS 5.4. Unfortunately because of that you're also likely to run into replication issues again in the future unless you can upgrade to a newer OpenLDAP (2.4) server.

slurpd was very flawed, check out the OpenLDAP 2.4 docs for a complete explanation of why. The newer OpenLDAP releases come with a new replication mechanism called syncrepl which is much more robust and nearly impervious to failure.

In the future if you're interested in getting help migrating to a newer OpenLDAP server I can offer guidance there as well.

Best Answer

Related Solutions

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

OpenLDAP – Troubleshooting OpenLDAP Replication Problem

Related Topic