3 Replies Latest reply on Sep 3, 2018 3:40 AM by Alessandro Ghezzi

    Address Book and multiple Active Directories

    Alessandro Ghezzi
      Share This:

      A FootPrints Address Book can be configured with a single Active Directoy server.

      I have an environment where there a 9 separate Active Directories: there is a trust between all the ADs but this is enough for FootPrints because they are in separate forests..

       

      If the Address Book is configured to point the AD1 server I find only contacts from the AD1 server, even if I configure some Base BNs for the other ADs.

       

      How can this problem be bypassed?

       

      Searching the old FP user group messages I found where is suggested to use OpenLDAP as a proxy for the different ADs.

       

      http://tech.groups.yahoo.com/group/fpusergroup/message/6630

       

      Can this method works in my environment? I'm using FPSC 11.6 on Windows 2008

       

      Has anyone experience with OpenLDAP on Windows environments ( OpenLDAP for Windows | Free software downloads at SourceForge.net ) and can suggest me a basic configuration?

       

      Thanks

      Alessandro

        • 1. Re: Address Book and multiple Active Directories

          If all of your AD servers are in the same forest, you should be able to query BaseDNs for all of them as long as you connect to a global catalog server on port 3268.  If they are not in the same forest, then I know of no way to setup Footprints to get contact records from more than one server using port 389. You may wish to contact BMC support as I was told they (Numara) were working on this three years ago when I posted the message on the old yahoo group.

           

          I no longer utilize OpenLDAP in my environment as I now have a unified AD structure where all needed servers are in a common forest, however I am sure that the OpenLDAP setup as I previously described will still work. Since OpenLDAP will allow you to query multiple servers, you can pull in all the BaseDNs from different AD forests/servers as needed and then you can query that from Footprints.  The only real issue is making sure you have good network connectivity from the proxy to the AD servers.

           

          I have no experience with OpenLDAP on Windows.  If I needed to use it again, I would continue to use it on Linux as there is always going to be great support on Linux.  That may or may not be the case on Windows.

           

          good luck,

          Jack

          • 2. Re: Address Book and multiple Active Directories
            Alessandro Ghezzi

            Hi Jack,

             

            The problem was that they are in different forests, so the global catalog could not be used.

            I succesfully managed to install OpenLDAP on a Windows 2008 Server and connect 9 different active directories, for both Address Book and LDAP Authentication purposes.

            The configuration file you posted on the fpusergroup helped my a lot, so thank you for that message!

             

            Regards

            Alessandro

            • 3. Re: Address Book and multiple Active Directories
              Alessandro Ghezzi

              As a reference for the future I put here the post from the Yahoo groups:

               

              I have a similar setup as you describe. The way I got around this was to set up OpenLDAP (http://www.openldap.org/) and configure it as a proxy server to the AD forests. Then I pointed the Footprints address book to the OpenLDAP proxy. It works nicely.

               

              If you install this on a redhat/centos server, you can simply use the redhat RPMs to install OpenLDAP. The main trick is getting the slapd.conf file configured. Mine looks similar to this.

               

               

              # See slapd.conf(5) for details on configuration options.

              # This file should NOT be world readable.

              #

              include /etc/openldap/schema/core.schema

              include /etc/openldap/schema/cosine.schema

              include /etc/openldap/schema/inetorgperson.schema

              include /etc/openldap/schema/nis.schema

               

              # Allow LDAPv2 client connections. This is NOT the default.

              allow bind_v2

               

              # Do not enable referrals until AFTER you have a working directory

              # service AND an understanding of referrals.

              #referral ldap://root.openldap.org

               

              pidfile /var/run/openldap/slapd.pid

              argsfile /var/run/openldap/slapd.args

               

              # Load dynamic backend modules:

              # modulepath /usr/lib/openldap

               

              # modules available in openldap-servers-overlays RPM package:

              # moduleload accesslog.la

              # moduleload auditlog.la

              # moduleload denyop.la

              # moduleload dyngroup.la

              # moduleload dynlist.la

              # moduleload lastmod.la

              # moduleload pcache.la

              # moduleload ppolicy.la

              # moduleload refint.la

              # moduleload retcode.la

              # moduleload rwm.la

              # moduleload smbk5pwd.la

              # moduleload syncprov.la

              # moduleload translucent.la

              # moduleload unique.la

              # moduleload valsort.la

               

              # modules available in openldap-servers-sql RPM package:

              # moduleload back_sql.la

               

              # The next three lines allow use of TLS for encrypting connections using a

              # dummy test certificate which you can generate by changing to

              # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on

              # slapd.pem so that the ldap user or group can read it. Your client software

              # may balk at self-signed certificates, however.

              # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

              # TLSCertificateFile /etc/pki/tls/certs/slapd.pem

              # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

               

              # Sample security restrictions

              # Require integrity protection (prevent hijacking)

              # Require 112-bit (3DES or better) encryption for updates

              # Require 63-bit encryption for simple bind

              # security ssf=1 update_ssf=112 simple_bind=64

               

              # Sample access control policy:

              # Root DSE: allow anyone to read it

              # Subschema (sub)entry DSE: allow anyone to read it

              # Other DSEs:

              # Allow self write access

              # Allow authenticated users read access

              # Allow anonymous users to authenticate

              # Directives needed to implement policy:

              access to dn.base="" by * read

              access to dn.base="cn=Subschema" by * read

              access to *

              by self write

              by users read

              by anonymous read

              #

              # if no access controls are present, the default policy

              # allows anyone and everyone to read anything but restricts

              # updates to rootdn. (e.g., "access to * by * read")

              #

              # rootdn can always read and write EVERYTHING!

               

              #######################################################################

              # ldbm and/or bdb database definitions

              #######################################################################

               

              database bdb

              suffix "dc=example,dc=com"

              rootdn "cn=Manager,dc=example,dc=com"

              # Cleartext passwords, especially for the rootdn, should

              # be avoided. See slappasswd(8) and slapd.conf(5) for details.

              # Use of strong authentication encouraged.

              rootpw secret

              # rootpw {crypt}ijFYNcSNctBYg

               

              # The database directory MUST exist prior to running slapd AND

              # should only be accessible by the slapd and slap tools.

              # Mode 700 recommended.

              directory /var/lib/ldap

               

              # Indices to maintain for this database

              index objectClass eq,pres

              index ou,cn,mail,surname,givenname eq,pres,sub

              index uidNumber,gidNumber,loginShell eq,pres

              index uid,memberUid eq,pres,sub

              index nisMapName,nisMapEntry eq,pres,sub

               

              # Replicas of this database

              #replogfile /var/lib/ldap/openldap-master-replog

              #replica host=ldap-1.example.com:389 starttls=critical

              # bindmethod=sasl saslmech=GSSAPI

              # authcId=host/ldap-master.example.com@...

              #########NA LDAP

              #

              database ldap

              suffix "DC=YOURDOMAIN,DC=com"

              uri ldap://YOURADSERVER1.com:3268/

              chase-referrals NO

              idassert-bind bindmethod=simple binddn="CN=FAKEUSER,DC=YOURDOMAIN,DC=COM" credentials=FAKEPASSWORD

              mode=none

               

               

              database ldap

              suffix "DC=YOURDOMAIN2,DC=com"

              uri ldap://YOURADSERVER2.com:3268/

              chase-referrals NO

              idassert-bind bindmethod=simple binddn="CN=FAKEUSER2,DC=YOURDOMAIN2,DC=com" credentials=FAKEPASSWORD2

              mode=none