Combining AD as a branch of OpenLdap

[jlmagc]

Hello, I'm trying to setup myvd to join two directories: OpenLdap and Active Directory. The idea is that the AD will appear as a branch of the OpenLdap. The OpenLdap directory does not need translation, so it will be the DN root (dc=xxxxxx,dc=com) and the AD will be dc=bsi, dc=xxxxxxxx,dc=com. I've been able to work with both directories separately, but when I have both, it starts doing strange staff, and shows the content of the AD in all folders of the OpenLdap.

What am I doing wrong?

server.listener.port=10389

#No global chain
server.globalChain=

#Setup a single proxy
server.nameSpaces=openldap,activedirectory

server.openldap.chain=LDAPopenldap
server.openldap.nameSpace=dc=xxxxxxx,dc=com
server.openldap.weight=20
server.openldap.LDAPopenldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.openldap.LDAPopenldap.config.host=localhost
server.openldap.LDAPopenldap.config.port=389
server.openldap.LDAPopenldap.config.remoteBase=dc=xxxxxxx, dc=com
server.openldap.LDAPopenldap.config.proxyDN=cn=manager, dc=xxxxxxx, dc=com
server.openldap.LDAPopenldap.config.proxyPass=yyyyyyy

server.activedirectory.chain=uuid2text,dnmapper,objmap,membertrans,ldap
server.activedirectory.nameSpace=dc=bsi,dc=xxxxxxx,dc=com
server.activedirectory.weight=10
server.activedirectory.enabled=true
server.activedirectory.uuid2text.className=com.tremolosecurity.proxy.myvd.inserts.util.UUIDtoText
server.activedirectory.uuid2text.config.attributeName=objectGUID
server.activedirectory.dnmapper.className=net.sourceforge.myvd.inserts.mapping.DNAttributeMapper
server.activedirectory.dnmapper.config.dnAttribs=uniqueMember,member,memberOf,distinguishedName
server.activedirectory.dnmapper.config.localBase=dc=bsi,dc=xxxxxxx,dc=com
server.activedirectory.dnmapper.config.urlAttribs=
server.activedirectory.dnmapper.config.remoteBase=dc=mia,dc=usa,dc=sinvest
server.activedirectory.objmap.className=net.sourceforge.myvd.inserts.mapping.AttributeValueMapper
server.activedirectory.objmap.config.mapping=objectClass.inetOrgPerson=user,objectClass.groupOfUniqueNames=group
server.activedirectory.membertrans.className=net.sourceforge.myvd.inserts.mapping.AttributeMapper
server.activedirectory.membertrans.config.mapping=uniqueMember=member,uid=samAccountName
server.activedirectory.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor
server.activedirectory.ldap.config.host=miadc01.mia.usa.sinvest
server.activedirectory.ldap.config.port=389
server.activedirectory.ldap.config.remoteBase=dc=mia,dc=usa,dc=sinvest
server.activedirectory.ldap.config.proxyDN=cn=SPB Val User,cn=users,dc=mia,dc=usa,dc=sinvest
server.activedirectory.ldap.config.proxyPass=yyyyyy
server.activedirectory.ldap.config.ignoreRefs=true
server.activedirectory.ldap.config.passBindOnly=true
server.activedirectory.ldap.config.maxIdle=300000
server.activedirectory.ldap.config.maxMillis=30000
server.activedirectory.ldap.config.maxStaleTimeMillis=10000
server.activedirectory.ldap.config.minimumConnections=10

[mlbiam]

huh, that looks like a referral. What happens if you add the ignoreRefs=true option to the openldap? Looks like that's jexplorer? What happens if you do a search using LDAPSearch?

[jlmagc]

I tried that, but it behaves the same way. When I use ldapsearch directly, as follows:

ldapsearch -b "dc=dev,dc=xxxxxxxx,dc=com" -p 10389 -h localhost -s one

I received the following

ecodev@mia-hq-jakku.mia.usa.sinvest:/opt/eco/ecodev/myvd-server-1.0.1/bin

ldapsearch -b "dc=dev,dc=xxxxxxx,dc=com" -p 10389 -h localhost -s one

extended LDIF

#

LDAPv3

base with scope oneLevel

filter: (objectclass=*)

requesting: ALL

#

groups, dev.xxxxxxx.com

dn: cn=groups,dc=dev,dc=xxxxxxx,dc=com description: generic groups branch cn: groups objectClass: top objectClass: organizationalRole

users, dev.xxxxxxx.com

dn: cn=users,dc=dev,dc=xxxxxxx,dc=com description: generic groups branch cn: users objectClass: top objectClass: organizationalRole

officers, dev.xxxxxxx.com

dn: cn=officers,dc=dev,dc=xxxxxxx,dc=com description: generic groups branch cn: officers objectClass: top objectClass: organizationalRole

employees, dev.xxxxxxx.com

dn: cn=employees,dc=dev,dc=xxxxxxx,dc=com description: generic groups branch cn: officers cn: employees objectClass: top objectClass: organizationalRole

# Affiliates, bsi.xxxxxxx.com http://bsi.xxxxxxx.comdn: OU=Affiliates,dc=bsi,dc=xxxxxxx,dc=comou: AffiliatesuSNCreated: 63578description: xxxxxxxxxxxxxxxxwhenChanged: 20160119190541.0ZobjectClass: topobjectClass: organizationalUnitstreet:: xxxxxxxxxxxxxxxxxxxxxxx

and about 70 response more, all of them from the AD. Interesting thing is that the entries returned from the AD have DN, OU=Affiliates,dc=bsi,dc=xxxxxxx,dc=com but the filter of the search is b "dc=dev,dc=xxxxxxx,dc=com", so they should not appear.

JL

2017-08-14 21:02 GMT-04:00 Marc Boorshtein notifications@github.com:

huh, that looks like a referral. What happens if you add the ignoreRefs=true option to the openldap? Looks like that's jexplorer? What happens if you do a search using LDAPSearch?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/33#issuecomment-322349727, or mute the thread https://github.com/notifications/unsubscribe-auth/ADi2oFuQzSQwyGlmMkllFZGF-rLb8w10ks5sYO4MgaJpZM4O3BXO .

[mlbiam]

OK, back from vacation. Going to try to reproduce this. it sounds like a routing issue.

[jlmagc]

Thanks Marc, really appreciate the help.

2017-08-26 20:27 GMT-04:00 Marc Boorshtein notifications@github.com:

OK, back from vacation. Going to try to reproduce this. it sounds like a routing issue.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/33#issuecomment-325169460, or mute the thread https://github.com/notifications/unsubscribe-auth/ADi2oM_t4O2tSa681LudNhuOdqNOC97lks5scLgGgaJpZM4O3BXO .

[mlbiam]

Good news is i reproduced it no problem. smells like a routing bug, lets see what I can find.

[mlbiam]

if the search is the peer of a namespace the namespace is not being excluded

[mlbiam]

@jlmagc try dropping https://s3.amazonaws.com/unison-temp/myvd-server-1.0.1.jar into your myvd's libs directory and restart. I haven't done a full QA on this yet but give it a try, it seems to be working for your use case.

[jlmagc]

@Marc, I download the jar and replace the existing jar with the one you provided, but it still returns the same answer.

2017-08-26 21:38 GMT-04:00 Marc Boorshtein notifications@github.com:

@jlmagc https://github.com/jlmagc try dropping https://s3.amazonaws.com/ unison-temp/myvd-server-1.0.1.jar into your myvd's libs directory and restart. I haven't done a full QA on this yet but give it a try, it seems to be working for your use case.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/33#issuecomment-325171585, or mute the thread https://github.com/notifications/unsubscribe-auth/ADi2oAXgyJv5wN3itnQVvuMHNCBrCFZZks5scMiZgaJpZM4O3BXO .

[jlmagc]

Sorry, my mistake. It seems to work. Let me give it a more thorough test and I'll let you know how it goes.

thanks!

2017-08-27 9:23 GMT-04:00 JOSE L MARTINEZ-AVIAL jlmagc@gmail.com:

@Marc, I download the jar and replace the existing jar with the one you provided, but it still returns the same answer.

2017-08-26 21:38 GMT-04:00 Marc Boorshtein notifications@github.com:

@jlmagc https://github.com/jlmagc try dropping https://s3.amazonaws.com/unison-temp/myvd-server-1.0.1.jar into your myvd's libs directory and restart. I haven't done a full QA on this yet but give it a try, it seems to be working for your use case.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TremoloSecurity/MyVirtualDirectory/issues/33#issuecomment-325171585, or mute the thread https://github.com/notifications/unsubscribe-auth/ADi2oAXgyJv5wN3itnQVvuMHNCBrCFZZks5scMiZgaJpZM4O3BXO .

[jlmagc]

Ok, I applied the library, and it seems to work with the first level search, but not with sublevels. i.e., the AD entries still appear in every sublevel

[mlbiam]

odd, i'm not having that issue. those look like referrals. I see referrals are disabled for the AD server, what happens if you disable them for the openldap?

[jlmagc]

Same result. Something intriguing is that I see the branches in the openldap part, but the children don't appear. For example, if I open cn=externals,cn=users,cn=dev in the openldap, there are about 20 entries.

When I try to do it in the virtualized server, those 20 entries do not appear.

[mlbiam]

@jlmagc i can't reproduce this anymore for the life of me. I've setup automated test cases for everything i can think of. I created https://github.com/TremoloSecurity/MyVirtualDirectory/blob/1.0.2/src/test/java/net/sourceforge/myvd/test/router/TestSearchOverlap.java if you want to take a look. Something thats nagging at me is the entries, those look like referrals. is your AD part of a multi-domain forest?