(Edit: Didn't want to make a new topic but I have kind of moved past where the initial issue was. You can probably ignore the top half of this but I will leave it for history)

Hi Devshed people,

I am having trouble setting up an AD proxy with the ldap backend type in OpenLDAP. Essentially, I have never touched ldap on a configuration level before (I have added users and policy to AD, that's about it). We already have a working AD with the internal users, however some of the new software we have implemented needs to be accessed by external users (clients/agents etc) which, I have been told, we are not to add into AD. As a result I have set up an OpenLDAP directory with their details included. This is working, and uses the hdb database type (I essentially followed ubuntu's openldap server tutorial to the letter for the backend).

The problem arises because some of the new software does not support chained authentication, it can only check a single ldap source for users. As a result I need to somehow get the AD users to show up in openldap. I spent about a week researching syncrepl before I realized that wasn't going to fly with AD.

So I have read about the ldap backend type and using it as a proxy. The problem is that all the tutorials and information I can find seem to be about using slapd.conf to configure, whereas I have a later version of OpenLDAP which, as I understand, uses 'RTC' configuration.

Is anyone able to show me (or direct me towards) a sample ldif for a working AD proxy?
This is what I have been trying, however it is not really an informed starting point - I took a sample I found from an old tutorial and put olc in front of all the properties.
olcDatabase: ldap
olcSuffix: dc=companyname,dc=local
olcSubordinate: yes
olcRebind-as-user: yes
olcUri: "ldap://companyname.local/";
olcChase-referrals: yes


So I have finally managed to get myself setup with 2 databases in OpenLDAP - 1 ldap and one hdb. The backend ldif I used for this is -

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
olcModuleload: back_ldap

dn: olcDatabase={1}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {1}ldap
olcSuffix: ou=internal,dc=companyname,dc=local
olcSubordinate: TRUE
olcDbURI: "ldap://companyname.local"
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE

dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=companyname,dc=local
olcLastMod: TRUE
olcRootDN: cn=admin,dc=companyname,dc=local
olcRootPW: {SSHA}[a hashed password]
olcDbDirectory: /var/lib/ldap
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=companyname,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read

Now ldap://companyname.local definitely connects to our AD installation, I can connect and search that uri using apache directory studio from my PC or ldapsearch it from the command line on the ubuntu box running openldap.
however when I try -
ldapsearch -xLLL -D "cn=admin,dc=companyname,dc=local" -W -b "ou=internal,dc=companyname,dc=com"
I get "No such object (32)" (The way I read that it is an unfiltered search and should get me all the results from AD... correct me if I am wrong).
The only guess I have is that I maybe need to use a bind dn from AD, not from OpenLDAP, could that be the issue?