search

dkoudela / active-directory-to-openldap

An attempt to provide tools and LDIF schemas for conversion of Active Directory structures to OpenLdap.
Apache License 2.0
119 stars 36 forks source link

Dockerize active-directory-to-openldap, bump slapd version, add GSSAPI SASL and add phpLDAPadmin for debug #9

Open stevenlafl opened 2 years ago

stevenlafl commented 2 years ago

I hope this serves to help someone.

Here's an example to run it. It will stand up a LDAP server. You could just run it in place of a different OpenLDAP docker. I can't really say much as to the correctness, so @dkoudela will have to help sanity check the result.

docker run \
      --rm \
      -it \
      -v $(shell pwd)/ldif:/app/ldif \
      -v $(shell pwd)/schema:/app/schema \
      -w /app \
      -e ROOTDN="dc=example,dc=com" \
      -e ROOTPW="secrets" \
      -e ADDADUSERPW=false \
      -e DEFAULTADUSERPW="topsecret" \
      stevenlafl/ad2openldap

Querying it I get:

$ ldapsearch -x -h localhost -b"dc=example,dc=com"

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
instanceType: 5
objectCategory: cn=Domain-DNS,cn=Schema,cn=Configuration,dc=example,dc=com
objectClass: mstop
objectClass: domain
objectClass: domainDNS
dc: example

# My Company Users, example.com
dn: ou=My Company Users,dc=example,dc=com
instanceType: 4
objectCategory: cn=Organizational-Unit,cn=Schema,cn=Configuration,dc=example,d
 c=com
objectClass: mstop
objectClass: organizationalUnit
ou:: TXkgQ29tcGFueSBVc2VycyA=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

And authenticated use:

ldapsearch -x -h localhost -w secrets -D 'cn=Manager,dc=example,dc=com' -b"dc=example,dc=com"
AdrianVollmer commented 7 months ago

Thanks for the docker image.

I'm getting lots of errors with an LDIF file from AD. When I remove problematic attributes which may be custom to this instance, eventually I get this:

adding new entry "DC=contoso,DC=corp"
ldap_add: Object class violation (65)
        additional info: attribute 'gPLink' not allowed

gPLink is definitely not a custom attribute and it seems to be included in the schema. In this case the LDIF file only contains the domain object. What's wrong here?

stevenlafl commented 7 months ago

Thanks for the docker image.

I'm getting lots of errors with an LDIF file from AD. When I remove problematic attributes which may be custom to this instance, eventually I get this:

adding new entry "DC=contoso,DC=corp"
ldap_add: Object class violation (65)
        additional info: attribute 'gPLink' not allowed

gPLink is definitely not a custom attribute and it seems to be included in the schema. In this case the LDIF file only contains the domain object. What's wrong here?

I haven't actually tried any setup with GPOs in it. Do you have an example snippet from your LDIF that contains the portion which is erroring?

I am expecting something like...

dn: dc=contoso,dc=corp
objectClass: top
objectClass: customDomain
dc: contoso
gPLink: [LDAP://cn={GUID of GPO},cn=policies,cn=system,DC=contoso,DC=corp;0]

Replacing of course //cn={GUID of GPO} with cn=SOME-GUID?

AdrianVollmer commented 7 months ago

Yes, that is what it looks like. Unfortunately I cannot share this data and sanitizing is non-trivial. However, I found a lot of other missing attributes. I opened a dedicated issue here: https://github.com/dkoudela/active-directory-to-openldap/issues/10

Thanks for the reply anyway!