I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.
The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").
I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.
Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.
It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:
attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE
)
attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
)
objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
DESC 'a user'
SUP organizationalPerson STRUCTURAL
MUST ( cn )
MAY ( userPassword $ memberOf ) )
objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
DESC 'a group of users'
SUP top STRUCTURAL
MUST ( groupType $ cn )
MAY ( member ) )
Then it's easy to create an LDIF file for inserting the users and groups:
dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch
dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database
dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany
dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9
dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany
dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9
Ok, here is the begining of an answer :
Once you installed your OPENLdap
A - Edit your slapd.conf
to :
1) Modify the schemas included
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema
2) Modifiy schema files as explained in this FAQ
3) Modify your naming context (personaly I'am using HDB as backend)
database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb
4) Then restart your directory
B - Insert your root
Here is the LDIF file (root.ldif)
dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif
C - Insert a user
Here is the LDIF file (user.ldif)
dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999
Here is the command line
ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif
D - An advice
Apache directory studio, is for me, a VERY good LDAP Browser, it's Open Source, it works on the top of java on Linux and Windows. Using it you can graphicaly browse AD and OpenLdap and do parts B and C just clicking.
Active-Directory Schema (Classes and attributes) are documented in the MSDN. For example here are the information about groupType. Is it what you expect?