[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP server as a proxy to AD and local auth db

Hi all -

Thanks in advance. I know this topic has been discussed at length but
I'm fairly new to it and haven't been able to find enough information
to get my implementation working. I've been piecing together bits and
pieces of what seems like the correct parameters, but I've had no
luck... and now that I've resorted to guessing, I'd like to ask for

So here's what I'm trying to achieve:

One OpenLDAP server that will A) proxy for a backend AD server and B)
maintain a local database for users that are not in AD. The AD system
will be used for internal/corp users while the local db will be used
for external/3rd party people. The AD system has _some_ of the unix
schema attributes, but not all so I will be doing some rewriting on
the openldap server. The linux workstations will use the single
openldap server and will only be used by internal users and we also
have some websites that are for internal/external users.

For the time being, I'm just working on part A - proxy requests for
these linux workstations to the backend AD server and get the proper
mapping figured out.

My present problem is that my openldap server is connecting
anonymously to the AD server and that's no good because that's not
allowed. I have a AD service account defined for the openldap server
connections, and have configured the correct values for the
'idassert-bind' directive (see below). Performing a manual ldapsearch
works fine when I define the same parameters on the command line, but
slapd isn't using the correct parameters it seems. Below are the
config files, etc for each component... I hope this helps.

./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com"
-s sub -D "cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" -W

I've compiled and installed bdb v4.8 and openldap v2.4.23 from source.
Here's how I configured openldap:

LDFLAGS="-L/cluster/centauth/BerkeleyDB.4.8/lib" ./configure
--prefix=/cluster/centauth/openldap2.4 --enable-shared
--enable-crypt=yes --enable-rewrite=yes --enable-bdb=yes
--enable-hdb=yes --enable-ldap=mod --enable-meta=mod
--enable-monitor=yes --enable-relay=mod --enable-overlays=yes
--with-cyrus-sasl --with-threads=posix --with-tls=openssl

This is the client configuration on the linux workstation:

# /etc/ldap.conf
base dc=mascorp,dc=com
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://sso.mascorp.com
ssl no
pam_password ad

This is the server config on the openldap server:

# /cluster/centauth/etc/slapd.conf
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
include /usr/share/openldap2.4/schema/ldapns.schema
include /cluster/centauth/etc/schema/microsoft.minimal.schema

pidfile         /cluster/centauth/var/run/slapd.pid
argsfile        /cluster/centauth/var/run/slapd.args
loglevel -1
monitoring on
defaultsearchbase "dc=mascorp,dc=com"
database        ldap
suffix          "dc=mascorp,dc=com"
uri             "ldap://corp-ad.mascorp.com";
acl-bind        bindmethod=simple binddn="cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret"
idassert-bind   bindmethod=simple binddn="cn=agis-ldap,ou=service
accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret"
overlay rwm
rwm-map         attribute       uid                     sAMAccountName
rwm-map         attribute       homeDirectory           unixHomeDirectory
rwm-map         attribute       cn                      cn
rwm-map         attribute       displayName             displayName
rwm-map         attribute       givenName               givenName
rwm-map         attribute       sn                      sn
rwm-map         attribute       mail                    mail
rwm-map         attribute       userPassword            objectGUID
rwm-map         attribute       *
rwm-map         objectclass     posixAccount            organizationalPerson
rwm-map         objectclass     inetOrgPerson           user

access to dn.subtree="dc=mascorp,dc=com"
        by * read

# Pertinent logs from ldap2.4.log
Jan 20 00:13:57 sso slapd[30527]: do_bind: v3 anonymous bind
Jan 20 00:13:57 sso slapd[30527]: ==> limits_get: conn=1000 op=1
self="[anonymous]" this="dc=mascorp,dc=com"
Jan 20 00:13:57 sso slapd[30527]: send_ldap_result: err=1 matched=""
text="00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece"