Help with LDAP schema/files

This is sort of a continuation of Using an existing directory<< - #3, which closed because I took too long to update. (Sorry! :upside_down_face:)

I’m still trying to hook up Yunohost to my Active Directory userbase. Thanks to another user I found out that I can connect another directory from the /etc/sudo-ldap.conf file, and that it is responsible for the root user somehow.

I tried that but couldn’t log in at all, the file ended up something similar to:

(…)
BASE   OU=somemagicOU,DC=domain,DC=tld
URI    ldap://zz.domain.tld:389
(…)
sudoers_base OU=su,OU=ServiceAccount,OU=somemagicOU,DC=domain,DC=tld

It didn’t quite work. Of course not, I forgot about the the tiny differences between the reg LDAP and AD.

Then I found that LDAP, specifically OpenLDAP can work standalone, using references or as directory proxy, and found the special config to set it up as an Active Directory LDAP proxy, courtesy of Samba. It fixes takes care of the idiosyncrasies, at least the most pressing issues, like translating uid to sAMAccountName, here’s the file:

### Schema includes ###########################################################
include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/inetorgperson.schema
include                 /etc/openldap/schema/misc.schema
include                 /etc/openldap/schema/nis.schema

## Module paths ##############################################################
modulepath              /usr/lib64/openldap/
moduleload              back_ldap
moduleload              rwm

# Main settings ###############################################################
pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args

### Database definition (Proxy to AD) #########################################
database                ldap
readonly                yes
protocol-version        3
rebind-as-user
uri                     "ldap://{AD-Hostname/IP}:389"
suffix                  "{your Domain DN}"
overlay                 rwm
rwm-map                 attribute       uid     sAMAccountName
rwm-map                 attribute       mail    proxyAddresses

### Logging ###################################################################
loglevel                0

This would be /etc/ldap/slapd.conf. Right on time, though, a new issue made itself known; this, according the admin guide is the old way of doing things. The new one it seems to spread what it was in simple files across a tree of directories, no unlike LDAP itself which it seems must be edited with its own tools. It says in the guide that OpenLDAP would take either form of configuration, but so far /etc/ldap/slapd.conf didn’t seems to work.

There’s another option that sets up LDAP, Samba and Kerberos (also called joining an AD domain) in one command, Red Hat’s realmd tool. But I don’t know how custom is the LDAP implementation used in Yunohost.

Instead of adding more pkgs I think I should try to understand how it’s setup in order to decompose it to make the link to AD. Could you point me to some reference, or a list of the files part of the LDAP configuration, or any advice/info you have about this, please? I think I should be able to figure it out only knowing for sure which LDAP config files are in use so I can study them without false positives possibly throwing me off the scent. :dog2:

It’s not going to waste I promise :raised_hand: I started documenting it to report back if successful.

Je vous remercie de votre aide. :smiley: