[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: setting up openldap to proxy to AD on SUSE ENT 12

To: openldap-technical@openldap.org
Subject: Re: setting up openldap to proxy to AD on SUSE ENT 12
From: N6Ghost <n6ghost@gmail.com>
Date: Tue, 26 Feb 2019 09:18:09 -0800
Content-language: en-US
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=lHrcR9d3FPMkVfqu1gfKoxMGpuuTbMK+pL3mPfYDETU=; b=NuYr5mnumSchSVkg8wf0H6cI7pq4zM8VKnSUXGugVWDC6PPlaDcIWz9gnZBviHH534 yrZ/XPIICyvgKw53shxPxv5OVMXOdoZp5DYAtnlBvRoIR+wLFMaIL6ia8ZqS01AP5Wg5 tqTwheOJZRXvuO6/N/oTQeFf8UIkzSngCHhwtSLl6xlcenluQ7Dx44rUE1fCRkx5Sy/U y7kPfqTFsunaKm/FyB/0adVBtUZtx0U7e5eSM9JYYzDi0o4TLfhhOnPBI9GdnjFbeGbZ lbkjyLzD2+HuH3TFWlYNRg7htSxqrLl6BeDwiN3/PC7TznUpkmNOIMPbRu3gtaZrtU0i 281Q==
In-reply-to: <20190226090732.66ea6332@pink.fritz.box>
References: <47a7357d-69cd-2bef-b6c1-62f9820a1ce0@gmail.com> <20190226090732.66ea6332@pink.fritz.box>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0


On 2/26/2019 12:07 AM, Dieter Klünter wrote:

Am Mon, 25 Feb 2019 13:34:45 -0800
schrieb N6Ghost <n6ghost@gmail.com>:

hi all,

I am trying to setup an openldap proxy to AD and i need to use SUSE
Enterprise Linux 12.

Hostname:/etc/openldap # rpm -qa|grep -i openldap
openldap2-2.4.41-18.43.1.x86_64
openldap2-client-2.4.41-18.43.1.x86_64

what I am trying to do, is proxy an application (with 1000s of users)
from talking directory to AD, to talking to openldap. and then have
openldap talk to AD.
look across the net is a bunch of stuff,  but most of it does not
seem to apply, or work.  look at the offical doc, says use sasl but
you must have an local entry with a {sasl] tag on the user thats not
really ideal and work make a huge problem.  a few of the posts online
just said point to AD via ldap is possible? and this application also
has a group lookup as part of its auth process...  eg, only member of
groupX can access....

any help in this would be huge.


seems, i am mixing up a few different ways of doing this whats the
bets way to do this?

I presume you are running slapd with slapd-ldap(5) backend.
AD requires non standard attribute types, which openldap does not
provide. Include AD schema files into slapd.
RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you
may include openldap services as kerberos host and service pricipals.

-Dieter

where do i get the AD schema that's not in the schema directory. yea iwas working with /etc/sldap.conf, but in openldap 2.4 it seems somestuff has changed, and lotsof very conflicting information on how to go about getting the proxy toAD, lost of posts say you can just have a config in sldap.conf, but thatnot only does not workbut many of the items in those config dont work, and will not allow theservice to even start.

then there is the matter, where the official docs say you can pass thru,but the accounts needs a local openldap account with {sasl} taged. whichfor a large

domain with 1000s of users is a pain.

and it seems openldap is more of a solutions backend that has abazillion options. and you build out a design and options, configs etcbased on your needs.and you got to hunt down the how and whats supported etc, and you haveto deal with the distros packaging....



-N6Ghost

Follow-Ups:
- Re: setting up openldap to proxy to AD on SUSE ENT 12
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: setting up openldap to proxy to AD on SUSE ENT 12
  - From: Quanah Gibson-Mount <quanah@symas.com>

References:
- setting up openldap to proxy to AD on SUSE ENT 12
  - From: N6Ghost <n6ghost@gmail.com>
- Re: setting up openldap to proxy to AD on SUSE ENT 12
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Get values of Telephone Tab ( A.D. ) using ldapsearch.
Next by Date: Expected operation of pwdFailureCountInterval
Index(es):
- Chronological
- Thread