proxyldap

Configuring LDAP Proxy Server with multiple AD/LDAP Servers

I am working on configuration of LDAP Proxy server with multiple AD/LDAP servers. I am able to successfully configure the LDAP Proxy but the end result is not what I need.

I have the following setup:

LDAP1 - ou=People,dc=example,dc=com (ldap://ldaphost1.example.com:389)

LDAP2 - ou=People,dc=example,dc=biz (ldap://ldaphost2.example.biz:389)

LDAP Proxy Server - dc=ldapproxy,dc=com (ldap://ldapproxy.com:389)

Here is my slapd.conf

# Database LDAP for local Manager authentication

database ldap
suffix "cn=manager,dc=ldapproxy,dc=com"
rootdn "cn=manager,dc=ldapproxy,dc=com"
rootpw secret

# Database LDAP for LDAP 1
database        ldap
suffix          "ou=LDAP1,dc=ldapproxy,dc=com"

uri ldap://ldaphost1.example.com

idassert-bind bindmethod=simple
   binddn="cn=ldapadm,dc=example,dc=com"
   credentials="secret"
   mode=none
   flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=ldapproxy,dc=com"

overlay rwm
rwm-suffixmassage   "ou=LDAP1,dc=ldapproxy,dc=com" "ou=People,dc=example,dc=com"

# Database LDAP for LDAP 2
database        ldap
suffix          "ou=LDAP2,dc=ldapproxy,dc=com"

uri  ldap://ldaphost2.example.biz

idassert-bind bindmethod=simple
  binddn="cn=ldapadm,dc=example,dc=biz"
  credentials="secret"
  mode=none
  flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=ldapproxy,dc=com"

overlay rwm
rwm-suffixmassage   "ou=LDAP2,dc=ldapproxy,dc=com" "ou=People,dc=example,dc=biz"

This above configuration is working.

LDAP Search with ou=LDAP1


    [root@ldapproxy ~]# ldapsearch -x -h ldapproxy.com -b ou=LDAP1,dc=ldapproxy,dc=com
    # extended LDIF
    #
    # LDAPv3
    # base <ou=LDAP1,dc=ldapproxy,dc=com> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # LDAP1, ldapproxy.com
    dn: ou=LDAP1,dc=ldapproxy,dc=com
    objectClass: organizationalUnit
    ou: People

    # shatrughan.saxena, LDAP1, ldapproxy.com
    dn: uid=shatrughan.saxena,ou=LDAP1,dc=ldapproxy,dc=com
    objectClass: top
    objectClass: account
    objectClass: posixAccount
    objectClass: shadowAccount
    cn: shatrughan.saxena
    uid: shatrughan.saxena
    uidNumber: 9999
    gidNumber: 100
    homeDirectory: /home/shatrughan.saxena
    loginShell: /bin/bash
    gecos: Shatrughan Saxena[Admin]
    shadowLastChange: 17058

    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    userPassword:: xsxlsjdojldwlxlsxlzxjojojljlxlsl=

    # search result
    search: 2
    result: 0 Success

    # numResponses: 3
    # numEntries: 2
    [root@ldapproxy ~]#

LDAP Search with ou=LDAP2

[root@ldapproxy ~]# ldapsearch -x -h ldapproxy.com -b ou=LDAP2,dc=ldapproxy,dc=com  
# extended LDIF
#
# LDAPv3
# base <ou=LDAP2,dc=ldapproxy,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# LDAP2, ldapproxy.com
dn: ou=LDAP2,dc=ldapproxy,dc=com
objectClass: organizationalUnit
ou: People

# amitabh.bachchan, LDAP2, ldapproxy.com
dn: uid=amitabh.bachchan,ou=LDAP2,dc=ldapproxy,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: amitabh.bachchan
uid: amitabh.bachchan
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/amitabh.bachchan
loginShell: /bin/bash
gecos: Amitabh Bachchan[Admin]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: reyyrweroaldadaiinaknz2ewueowue=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@ldapproxy ~]#

My problem is when I try to run ldapsearch command, I need to specify baseDn with OU , I cannot just use baseDn as dc=ldapproxy,dc=com to get subects from both LDAP1 and LDAP2 OUs. See the ldapsearch command below:

[root@ldapproxy ~]# ldapsearch -x -h ldapproxy.com -b dc=ldapproxy,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=ldapproxy,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

**# search result
search: 2
result: 32 No such object**

# numResponses: 1
[root@ldapproxy ~]#

I need help to configure my LDAP proxy server to show details of both domains using just baseDN values.

Regards.

Solution

  • I am able to resolve my problem by using meta database instead of ldap database. The slapd.conf configuration finally looks like this:

    I am only posting DB config here

    #######################################################################
# META Database Definitions
#######################################################################

# Database
database        meta
suffix "dc=ldapproxy,dc=com"
rootdn "cn=manager,dc=ldapproxy,dc=com"
rootpw secret

# LDAP 1
uri ldap://ldaphost1.example.com/ou=LDAP1,dc=ldapproxy,dc=com

lastmod       off
suffixmassage   "ou=LDAP1,dc=ldapproxy,dc=com" "ou=People,dc=example,dc=com"
idassert-bind bindmethod=simple
   binddn="cn=ldapadm,dc=example,dc=com"
   credentials="secret"
   mode=none
   flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=ldapproxy,dc=com"


# LDAP 2
uri  ldap://ldaphost2.example.biz/ou=LDAP2,dc=ldapproxy,dc=com

lastmod       off
suffixmassage "ou=LDAP2,dc=ldapproxy,dc=com" "ou=People,dc=example,dc=biz"
idassert-bind bindmethod=simple
  binddn="cn=ldapadm,dc=example,dc=biz"
  credentials="secret"
  mode=none
  flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=ldapproxy,dc=com"