[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP server as a proxy to AD and local auth db
- To: openldap-technical@openldap.org
- Subject: OpenLDAP server as a proxy to AD and local auth db
- From: "L.B." <allegatis@gmail.com>
- Date: Fri, 21 Jan 2011 12:01:19 -0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=DrEkNdkJUCI7pZPtDb6def1WXnnq17Z3Yf5mo5uyQS0=; b=Qp4Y6c9Y5plZxwwksGwXed8W9dx544QUh21xHcD99RlHPWu3reVqr25acJzTTJ6XEw 6iqFNYMcgIvFh2edv5L+vQHCwB1xCayfK1wZswTW3i7/TqDoQcNmedTFXJXq2QQjYSz2 +oeewJgKVR+hcXYt6gNc96RxJIueJR4Mc15SY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=tQZAOya3JQiuTstN/IL5csMN3XtRlTQSEybnD5N9yau9x/CSsmnt9gmIYnyAy4Eul6 ll0CHQaewL0DC4om4fm/loMwJxMmD7m/LH75hmunUllnnffkHVTGCwxMmI660Ev4MIYD E6gBfBO+hAx3wbaBz7t4kCyaA3kG7Q46xXUOE=
Hi all -
Thanks in advance. I know this topic has been discussed at length but
I'm fairly new to it and haven't been able to find enough information
to get my implementation working. I've been piecing together bits and
pieces of what seems like the correct parameters, but I've had no
luck... and now that I've resorted to guessing, I'd like to ask for
help.
So here's what I'm trying to achieve:
One OpenLDAP server that will A) proxy for a backend AD server and B)
maintain a local database for users that are not in AD. The AD system
will be used for internal/corp users while the local db will be used
for external/3rd party people. The AD system has _some_ of the unix
schema attributes, but not all so I will be doing some rewriting on
the openldap server. The linux workstations will use the single
openldap server and will only be used by internal users and we also
have some websites that are for internal/external users.
For the time being, I'm just working on part A - proxy requests for
these linux workstations to the backend AD server and get the proper
mapping figured out.
My present problem is that my openldap server is connecting
anonymously to the AD server and that's no good because that's not
allowed. I have a AD service account defined for the openldap server
connections, and have configured the correct values for the
'idassert-bind' directive (see below). Performing a manual ldapsearch
works fine when I define the same parameters on the command line, but
slapd isn't using the correct parameters it seems. Below are the
config files, etc for each component... I hope this helps.
./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com"
-s sub -D "cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" -W
I've compiled and installed bdb v4.8 and openldap v2.4.23 from source.
Here's how I configured openldap:
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/cluster/centauth/BerkeleyDB.4.8/lib:/usr/local/ssl/lib"
CPPFLAGS="-I/cluster/centauth/BerkeleyDB.4.8/include"
LDFLAGS="-L/cluster/centauth/BerkeleyDB.4.8/lib" ./configure
--prefix=/cluster/centauth/openldap2.4 --enable-shared
--enable-crypt=yes --enable-rewrite=yes --enable-bdb=yes
--enable-hdb=yes --enable-ldap=mod --enable-meta=mod
--enable-monitor=yes --enable-relay=mod --enable-overlays=yes
--with-cyrus-sasl --with-threads=posix --with-tls=openssl
This is the client configuration on the linux workstation:
# /etc/ldap.conf
base dc=mascorp,dc=com
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://sso.mascorp.com
ssl no
pam_password ad
#eof
This is the server config on the openldap server:
# /cluster/centauth/etc/slapd.conf
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
include /usr/share/openldap2.4/schema/ldapns.schema
include /cluster/centauth/etc/schema/microsoft.minimal.schema
pidfile /cluster/centauth/var/run/slapd.pid
argsfile /cluster/centauth/var/run/slapd.args
loglevel -1
monitoring on
defaultsearchbase "dc=mascorp,dc=com"
database ldap
suffix "dc=mascorp,dc=com"
uri "ldap://corp-ad.mascorp.com";
acl-bind bindmethod=simple binddn="cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret"
idassert-bind bindmethod=simple binddn="cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute homeDirectory unixHomeDirectory
rwm-map attribute cn cn
rwm-map attribute displayName displayName
rwm-map attribute givenName givenName
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute userPassword objectGUID
rwm-map attribute *
rwm-map objectclass posixAccount organizationalPerson
rwm-map objectclass inetOrgPerson user
access to dn.subtree="dc=mascorp,dc=com"
by * read
#eof
# Pertinent logs from ldap2.4.log
Jan 20 00:13:57 sso slapd[30527]: do_bind: v3 anonymous bind
Jan 20 00:13:57 sso slapd[30527]: ==> limits_get: conn=1000 op=1
self="[anonymous]" this="dc=mascorp,dc=com"
Jan 20 00:13:57 sso slapd[30527]: send_ldap_result: err=1 matched=""
text="00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece"
Thanks!
Rafa