Bounty: 50
We try to set up an OpenLdap server (slapd) on Ubuntu 18.04 to reach this goal: Create custom group in the slapd server with members from the ActiveDirectory (AD).
Now we set up a translucent proxy (because seems it’s doing what we want) as following:
/etc/ldap# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Include schemas
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
#include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/ad.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
modulepath /usr/lib/ldap
moduleload back_meta
moduleload back_mdb
moduleload back_ldap
moduleload back_hdb
moduleload rwm
moduleload translucent
#moduleload memberof
moduleload pcache
# Enable TLS
#TLSCACertificateFile /etc/ldap/ca.pem
#TLSCertificateFile /etc/ldap/cert.pem
#TLSCertificateKeyFile /etc/ldap/key.pem
# Log level
loglevel 4095
#######################################################################
# database definitions
#######################################################################
database mdb
suffix "dc=xxx,dc=yyy,dc=net"
rootdn "cn=admin,dc=xxx,dc=yyy,dc=net"
rootpw "SupeSecretSecret"
directory /etc/ldap/mdb
#index objectClass eq
overlay translucent
translucent_local carLicense
tls ldaps tls_reqcert=allow
uri ldaps://AD1.xxx.yyy.net:636
lastmod off
acl-bind binddn="cn=BindUSer,ou=zzz,ou=Users,ou=bbb,dc=xxx,dc=yyy,dc=net" credentials="AnotherSuperSecretSecret"
Now, we are able to perform ldapsearch through the LDAP to the AD, but we have to use a bind user in the ldapsearch, like the bind user defined in the configuration are ignored.
What I’m not understanding is how I can create a Group on local LDAP DB and insert users from the remote AD.
What I missing?