[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with openldap identity assertion to AD server

To: openldap-technical@openldap.org
Subject: problem with openldap identity assertion to AD server
From: John Uhlig <juhlig@parc.com>
Date: Mon, 19 Dec 2011 10:11:26 PST
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc13 Thunderbird/3.1.10

Hello.

I am new to this list so please forgive any protocol violations :)

I am starting with simple steps towards our goal to use the openldap server translucent overlay config to merge AD authentication for people at our company with local ldap account authentication fornon-company people.


I am using openldap 2.4.23  on RHEL6 server.

At this point, the ldap server can access our AD servers with anonymous bind but I need authenticated access to get more information.

I have been using variations of  the "Identity Assertion" steps from the openldap FAQ page (http://www.openldap.org/faq/data/cache/532.html) without success.

I am initially trying the simplest config e.g. bindmethod=simple with a valid AD account/password for this access.

I have included my current minimalist slapd.conf file if of any help.

If anyone can point me to sample working configuration file(s) or provide any recommendations, I would appreciate it.

thanks,
John.

------------------------------------------

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

###TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificateFile /usr/var/openldap-data/cacert.pem
###TLSCertificateFile /etc/openldap/cacerts/parcldscert.pem
###TLSCertificateKeyFile /etc/openldap/cacerts/parclds.pem
###TLSVerifyClient allow
TLSVerifyClient never

### Will use TLS after I get authenticated bind working

#######################################################################
# BDB database definitions
#######################################################################

database    bdb
suffix        "dc=corp,dc=ad,dc=parc,dc=com"
rootdn        "cn=Manager,dc=corp,dc=ad,dc=parc,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw        {SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
sizelimit unlimited
directory    /var/lib/ldap
# Indices to maintain
index    objectClass    eq
### debug logging
loglevel -1
# try transl overlay config here
moduleload translucent
overlay translucent
translucent_local carLicense
uri ldap://ADserver.corp.ad.parc.com
lastmod off
#
idassert-bind bindmethod=simple
    binddn=cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com
    credentials="password"
    authzID=dn:cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com
[root@virtuosity-vm84 configs]#

Follow-Ups:
- problem with simple user/password authentication to AD server
  - From: juhlig <juhlig@parc.com>

Prev by Date: re: OpenLDAP for Central Auth?
Next by Date: Re: AW: Trying to add vacation.schema - object class violation error
Index(es):
- Chronological
- Thread