[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP server as a proxy to AD and local auth db

On 21/01/2011 21:01, L.B. wrote:
> Hi all -
> Thanks in advance. I know this topic has been discussed at length but
> I'm fairly new to it and haven't been able to find enough information
> to get my implementation working. I've been piecing together bits and
> pieces of what seems like the correct parameters, but I've had no
> luck... and now that I've resorted to guessing, I'd like to ask for
> help.
> So here's what I'm trying to achieve:
> One OpenLDAP server that will A) proxy for a backend AD server and B)
> maintain a local database for users that are not in AD. The AD system
> will be used for internal/corp users while the local db will be used
> for external/3rd party people. The AD system has _some_ of the unix
> schema attributes, but not all so I will be doing some rewriting on
> the openldap server. The linux workstations will use the single
> openldap server and will only be used by internal users and we also
> have some websites that are for internal/external users.
> For the time being, I'm just working on part A - proxy requests for
> these linux workstations to the backend AD server and get the proper
> mapping figured out.
> My present problem is that my openldap server is connecting
> anonymously to the AD server and that's no good because that's not
> allowed. I have a AD service account defined for the openldap server
> connections, and have configured the correct values for the
> 'idassert-bind' directive (see below). Performing a manual ldapsearch
> works fine when I define the same parameters on the command line, but
> slapd isn't using the correct parameters it seems. Below are the
> config files, etc for each component... I hope this helps.
> ./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com"
> -s sub -D "cn=agis-ldap,ou=service
> accounts,ou=administrators,dc=mascorp,dc=com" -W
> This is the server config on the openldap server:
> [...]
> idassert-bind   bindmethod=simple binddn="cn=agis-ldap,ou=service
> accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret"
> access to dn.subtree="dc=mascorp,dc=com"

Look into the "mode" parameter of idassert-bind. For example, by adding
"mode=none" to the end of the above line, slapd will always use the
given binddn and credentials to forward anonymous connections to AD. Of
course, this may be seen as a security flaw: you're giving anonymous
access via OpenLDAP to a directory that doesn't allow anonymous acces -
use with care (this said, if access to your OpenLDAP directory is
protected in another way, I see no reason not to do this).

For your part B), I suggest looking into the subordinate keyword: add a
"hdb" database to your config, and place the AD proxy as a subordinate
to that. You'll then be able to have "local" users in OpenLDAP, and a
subtree that is a proxy to your AD.

Once you're there, it may be worth while setting up pcache (caching
proxy), to save a bit of traffic between OpenLDAP and AD, and possibly
provide a security against AD being unavailable and "breaking" your
OpenLDAP installation.

Hope this helps,

Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org