Dockerize active-directory-to-openldap, bump slapd version, add GSSAPI SASL and add phpLDAPadmin for debug

[stevenlafl]

I hope this serves to help someone.

Here's an example to run it. It will stand up a LDAP server. You could just run it in place of a different OpenLDAP docker. I can't really say much as to the correctness, so @dkoudela will have to help sanity check the result.

docker run \
	  --rm \
	  -it \
	  -v $(shell pwd)/ldif:/app/ldif \
	  -v $(shell pwd)/schema:/app/schema \
	  -w /app \
	  -e ROOTDN="dc=example,dc=com" \
	  -e ROOTPW="secrets" \
	  -e ADDADUSERPW=false \
	  -e DEFAULTADUSERPW="topsecret" \
	  stevenlafl/ad2openldap

Querying it I get:

$ ldapsearch -x -h localhost -b"dc=example,dc=com"

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
instanceType: 5
objectCategory: cn=Domain-DNS,cn=Schema,cn=Configuration,dc=example,dc=com
objectClass: mstop
objectClass: domain
objectClass: domainDNS
dc: example

# My Company Users, example.com
dn: ou=My Company Users,dc=example,dc=com
instanceType: 4
objectCategory: cn=Organizational-Unit,cn=Schema,cn=Configuration,dc=example,d
 c=com
objectClass: mstop
objectClass: organizationalUnit
ou:: TXkgQ29tcGFueSBVc2VycyA=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

And authenticated use:

ldapsearch -x -h localhost -w secrets -D 'cn=Manager,dc=example,dc=com' -b"dc=example,dc=com"

[AdrianVollmer]

Thanks for the docker image.

I'm getting lots of errors with an LDIF file from AD. When I remove problematic attributes which may be custom to this instance, eventually I get this:

adding new entry "DC=contoso,DC=corp"
ldap_add: Object class violation (65)
        additional info: attribute 'gPLink' not allowed

gPLink is definitely not a custom attribute and it seems to be included in the schema. In this case the LDIF file only contains the domain object. What's wrong here?

[stevenlafl]

Thanks for the docker image.

I'm getting lots of errors with an LDIF file from AD. When I remove problematic attributes which may be custom to this instance, eventually I get this:

adding new entry "DC=contoso,DC=corp"
ldap_add: Object class violation (65)
        additional info: attribute 'gPLink' not allowed

gPLink is definitely not a custom attribute and it seems to be included in the schema. In this case the LDIF file only contains the domain object. What's wrong here?

I haven't actually tried any setup with GPOs in it. Do you have an example snippet from your LDIF that contains the portion which is erroring?

I am expecting something like...

dn: dc=contoso,dc=corp
objectClass: top
objectClass: customDomain
dc: contoso
gPLink: [LDAP://cn={GUID of GPO},cn=policies,cn=system,DC=contoso,DC=corp;0]

Replacing of course //cn={GUID of GPO} with cn=SOME-GUID?

[AdrianVollmer]

Yes, that is what it looks like. Unfortunately I cannot share this data and sanitizing is non-trivial. However, I found a lot of other missing attributes. I opened a dedicated issue here: #10

Thanks for the reply anyway!