Classnotes | LDAP01 | RecentChanges | Preferences There are numerous ways to implement a metadirectory. The book lists a number of commercial products on page 209 of the book for it. However, you can just use OpenLDAP's proxy feature to set up your own.
OpenLDAP's proxy is a backend interface for distributing these metadirectories. In order for it to work, you must specify translation attributes which transform the vendor-specific attributes from one LDAP server into something that OpenLDAP-enabled applications know about.
The OpenLDAP proxy feature is not enabled by default; it must be enabled at compile time. This means in order to use it, chances are you will have to compile your own OpenLDAP. During the initial configuration, you must pass the following options to compile OpenLDAP with it enabled:
# configure --enable-ldap --enable-rewrite
Once you have compiled and installed this new slapd, in order to integrate with an Active Directory domain, we will assume the following:
The Active Directory domain is configured as ad.odyssey.com.
The DNS name ad.odyssey.com resolves to the IP address of an Active Directory domain controller for that domain.
An account named ldap-proxy has been added to the Active Directory domain for use by the proxy server when binding to a Windows domain controller.
We begin our database declaration for this proxy in slapd.conf with the following:
# Proxy backend to access Active Directory
database ldap
This tells slapd to acquire the data for this directory from another LDAP server (this could be anything, it doesn't have to be Active Directory). If OpenLDAP complains about this option, then it hasn't been compiled with proxy support. Next, we must define the naming context of the database
suffix ou=windows,dc=odyssey,dc=com
This is actually an arbitrary suffix and does not correspond with the DN of the users' container in Active Directory. Now we need to tell OpenLDAP about the target directory in the server. If no rewriting is needed (I.e, if Unix accounts cannot use the passwd command to change their password universally) then the suffixmassage can be omitted:
uri ldap://ad.odyssey.com/
suffixmassage: ou=windows,dc=odyssey,dc=com
cn=users,dc=ad,dc=odyssey,dc=com
Next, we need to set the password for the ldap-proxy credentials for accessing the database:
OpenLDAP's proxy code provides a way to map attributes and object classes defined by its local schema to those stored in the target directory. The syntax for defining a mapping is:
So, for example, our directory should map Active Directory's sAMAccountName, name, and userPrincipalName to locally defined uid, cn, and mail attributes. We also need to map the local object class account to the target user object class:
map attribute uid sAMAccountname
map attribute cn name
map attribute mail userprincipalname
map objectclass account user
You can then filter out any remaining attributes by mapping remote attributes to nothing:
map attribute *
To see the results of the mapping, take a look at the ldapsearch results on page 211-213.