Active Directory to LDIF OpenLDAP

Lime picture Lime · Apr 3, 2011 · Viewed 7.4k times · Source

How would I create an LDAP that mimics the structure of a typical Active Directory?

I need the following values to be included in each user: This isn't the right syntax but I want to add a user with a specific user name and password

dn: dc=users
userlogin: USERNAME
userPassword: PASSWORD
objectclass: person
userPrincipalName: [email protected]
sAMAccountName: USERNAME

I tried using a tldif, but I'm unsure how to create an appropriate Distinguished Name that allows for me to add users like the above syntax, or what equates to it.

Ultimately several remote servers queries the OpenLDAP server with this sql query.

select sAMAccountName FROM '" + ConnectionPath + "' where objectclass='person' and userPrincipalName='"+ UserName + "'

Thanks! :)

Answer

JPBlanc picture JPBlanc · Apr 4, 2011

If you want to use OpenLDAP with Active-Directory attributes, the first thing you need to do is to modify the OpenLDAP schema. There is a "faq-O-Matic" which explain that on OpenLDAP site.

The schema of your Directory defines a set of rules, which specify types of objects a directory may contain and the required and optional attributes entries of different types should have. A LDAP schema may also specify the namespace structure and the relationship between different types of objects.

To stay simple just modify the Schema which is located in /etc/openldap/schema/ and do not try to implement a dynamic schema.

There is a second solution, which is not expensive and perhaps more simple as far as Active directory is concerned, if you have Windows servers in your network. This solution is called ADAM (Active Directory Application Mode) on W2K3 or LDS (Lightweigh Directory Server) on W2K8. These two products are free. ADAM and LDS are the binary of Active Directory you can use to build application directories, and they are ready and able in a few clicks. It's easy to implement AD schema on them. You can even synchronize them with an existing AD and use them as proxy.