[Date Prev][Date Next] [Chronological] [Thread] [Top]

R: openldap proxy to AD

-----Messaggio originale-----
Da: Jonathan Clarke [mailto:jonathan@phillipoux.net] 
Inviato: martedì, 3. aprile 2012 18:12
A: Induni, Marco
Cc: openldap-technical@openldap.org
Oggetto: Re: openldap proxy to AD

On 03/04/12 16:47, Induni, Marco wrote:
> Hi all,
> I'm building an openldap proxy to an AD server and adding a little of
> "intelligence" based on the client request.
> Unfortunately the client/program asking information about an account,
> need to be setup with user and password.
> There is a way to let the proxy "ignore" this user and password and
> instead just use the ones specified on the slapd.conf file ?
> Or setup fake credential somewhere ?
> In detail, query are something like:
> ldapsearch -x -h openldap-proxy -w "secret" -D
> "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int"
> userPrincipalName=TST-USER10
> but I need that the proxy exclude the "-w "secret" -D
> "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" part, and use the one on the
> conf file.
> In fact if I do a query like:
> ldapsearch -x -h openldap-proxy -w "secret" -D
> "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int"
> userPrincipalName=TST-USER10
> it works.
> Here the slapd.conf
> database        meta
> suffix          "dc=pmm,dc=int"
> uri             "ldap://,dc=int";
> suffixmassage   "dc=pmm,dc=int" "dc=media,dc=int"
> rewriteContext  searchFilter
> rewriteRule "userPrincipalName=(.*)@rtsi.ch"
> "userPrincipalName=%1@rsi.ch"  ":"
> rewriteRule "sAMAccountName=([:alnum:])" "userPrincipalName=%1@rtr.ch"
> ":"
> idassert-bind
>         bindmethod=simple
> binddn="CN=svc-adread05,CN=AdminAccounts,OU=RSI,OU=Units,DC=media,DC=int
> "
>         credentials="Comano2012"
>         mode=self
> idassert-authzFrom "dn.regex:.*"
> Any idea ?

You can configure the ldap and meta backends to use a different
authentication for the outgoing connection to the proxied server by
setting mode=none in the idassert-bind directive. For example:

idassert-bind bindmethod=simple binddn="cn=proxyuser,dc=ad,dc=com"
credentials=secret mode=none

Will cause all connections to the proxied LDAP server to use those
credentials. Is this what you're trying to achieve?

What I want to achieve is that when I do a query like this one to the proxy ldap server:

> ldapsearch -x -h openldap -w "secret2" -D "CN=MGRADREAD05,DC=rtsi,DC=ch" -b "dc=pmm,dc=int" userPrincipalName=TST-USER10

the credential used (binddn and password) will be the ones I specify on the conf file, and not the one from the command line.

The problem is that I want to put the proxy in front of a couple of system, where I can't set any blank binddn and password (I get a failure with empty parameter). 

I've tried with mode=none but, in that case:

> ldapsearch -x -h openldap -w "secret2" -D "CN=MGRADREAD05,CN=MGR,rtsi,DC=ch" -b "dc=pmm,dc=int" userPrincipalName=TST-RSIUSER10 cn 
I receive this error: 

ldap_bind: Invalid credentials (49)

In case of empty binddn and password, it work's either with mode=none and mode=self

> ldapsearch -x -h -b "dc=pmm,dc=int" userPrincipalName=TST-RSIUSER10* cn

# extended LDIF
# LDAPv3
# base <dc=pmm,dc=int> with scope subtree
# filter: userPrincipalName=TST-RSIUSER10*
# requesting: cn

# TST-RSIUSER10, Users, RSI, Units, pmm.int
dn: cn=TST-RSIUSER10,ou=Users,ou=RSI,ou=Units,dc=pmm,dc=int

# search reference
ref: ldap://media.int/CN=Configuration,DC=media,DC=int

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

Many thank's


Visit: http://www.rsi.ch

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@rsi.ch