Am Tue, 26 Feb 2019 09:18:09 -0800 schrieb N6Ghost <n6gh...@gmail.com>:
> On 2/26/2019 12:07 AM, Dieter Klünter wrote: > > Am Mon, 25 Feb 2019 13:34:45 -0800 > > schrieb N6Ghost <n6gh...@gmail.com>: > > > >> hi all, > >> > >> I am trying to setup an openldap proxy to AD and i need to use SUSE > >> Enterprise Linux 12. > >> > >> Hostname:/etc/openldap # rpm -qa|grep -i openldap > >> openldap2-2.4.41-18.43.1.x86_64 > >> openldap2-client-2.4.41-18.43.1.x86_64 > >> > >> what I am trying to do, is proxy an application (with 1000s of > >> users) from talking directory to AD, to talking to openldap. and > >> then have openldap talk to AD. > >> look across the net is a bunch of stuff, but most of it does not > >> seem to apply, or work. look at the offical doc, says use sasl but > >> you must have an local entry with a {sasl] tag on the user thats > >> not really ideal and work make a huge problem. a few of the posts > >> online just said point to AD via ldap is possible? and this > >> application also has a group lookup as part of its auth > >> process... eg, only member of groupX can access.... > >> > >> any help in this would be huge. > >> > >> > >> seems, i am mixing up a few different ways of doing this whats the > >> bets way to do this? > > I presume you are running slapd with slapd-ldap(5) backend. > > AD requires non standard attribute types, which openldap does not > > provide. Include AD schema files into slapd. > > RFC-4513 requires sasl for strong binds, if your AD is setup as KDC > > you may include openldap services as kerberos host and service > > pricipals. > > > > -Dieter > > where do i get the AD schema that's not in the schema directory. yea > i was working with /etc/sldap.conf, but in openldap 2.4 it seems some > stuff has changed, and lots > of very conflicting information on how to go about getting the proxy > to AD, lost of posts say you can just have a config in sldap.conf, > but that not only does not work > but many of the items in those config dont work, and will not allow > the service to even start. There hasn't been changed much since openldap-2.1 with regard to protocol requirements. > > then there is the matter, where the official docs say you can pass > thru, but the accounts needs a local openldap account with {sasl} > taged. which for a large > domain with 1000s of users is a pain. That's why i did point to Kerberos. > > and it seems openldap is more of a solutions backend that has a > bazillion options. and you build out a design and options, configs > etc based on your needs. > and you got to hunt down the how and whats supported etc, and you > have to deal with the distros packaging.... Most of the options you refer to are built-in as default, that is, only tweak configuration parameters that are required for your setup. Just as a hint: ldapsearch -x -H ldap://path/to/AD -b "" -s base "(objectClass=*)" \ namingContexts subschemaSubentry search for subschemaSubentry attribute type. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E