ad2openldap

I’ve been porting our Active Directory based LDAP scripts to OpenLDAP.

Here’s what I have so far:

in /etc/openldap/slapd.conf

changed

suffix                “dc=my-domain,dc=com”
rootdn                “cn=Manager,dc=my-domain,dc=com”

To:
suffix                “dc=myproject,dc=company,dc=int”
rootdn                “cn=Manager,dc=myproject,dc=company,dc=int”

And added a password generated with:

slappasswd -s password

That looks like this:
rootpw                 {SSHA}qGjxdj5lesdqFmAJNk4Mn/c3uYULH06q

I have a “blow away the DB and restart” script that looks like this:
#  cat ~adyoung/bin/reset_ldap

/etc/init.d/ldap stop
rm -f /var/lib/ldap/*
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
/etc/init.d/ldap start

I can insert things into the database with:

ldapadd  -D “cn=Manager, dc=myproject, dc=mycompany, dc=int” -x  -w mycompany -f my_schema.ldif

Note that the first thing inserted has to be the top level item itself:

dn: dc=myproject,dc=mycompany,dc=int
changetype: add
objectClass: top
objectClass: dcObject
objectClass: organization
o:myproject
dc:myproject

I can query what objects are in this DB  by running

ldapsearch -LLL -x -b  ‘dc=myproject,dc=mycompany,dc=int’ ‘(objectclass=*)’

I’ve been converting out ldif files for the schema into schema files, as I can then test them by running the above script, which, amongst other things, runs slaptest.

When you insert an object into the LDAP DB, it has to have an objecttype.  Attribute types are simple values used to compose objects.  They are defined before the objectypes that use them.  Here is a sample in schema format:

attributetype ( 1.3.6.1.4.1.6876.40.1.4.1202 NAME ‘project-IsGroup’
DESC ‘Whether a principal refers to a group or a user’
EQUALITY caseExactIA5Match
SYNTAX ‘1.3.6.1.4.1.1466.115.121.1.26’
SINGLE-VALUE )

The number scheme is designed to be universally unique and is one of those things that has a portion assigned by a central server, and a portion defined by the end company.  The SYNTAX keyword references one of the syntax strings defined in this document:

ftp://ftp.isi.edu/in-notes/rfc2252.txt

The above attributetype definition uses ,’1.3.6.1.4.1.1466.115.121.1.26 , the syntax for IA5, a character set that is “not-quite-ascii”.  The EQUALITY keyword references a method that requires the input be validated by that syntax.  Our ldif files are sloppy, in that many of the attributetype definition use syntaxes other than the one above, but still specify EQUALITY types that are IA5 based.  Iy suspect this is a case of MS doing something deliberately broken….

Our objecttype definitions seem to be OK, although we reference a SUP (supertype) of container that doesn’t seem to be defined in the OpenLDAP schema.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.