[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: setting up openldap to proxy to AD on SUSE ENT 12

To: openldap-technical@openldap.org
Subject: Re: setting up openldap to proxy to AD on SUSE ENT 12
From: Dieter Klünter <dieter@dkluenter.de>
Date: Wed, 27 Feb 2019 18:39:23 +0100
In-reply-to: <71a3081f-a6b4-9a65-f3c7-9fb3e22fa0af@gmail.com>
Organization: AVCI
References: <47a7357d-69cd-2bef-b6c1-62f9820a1ce0@gmail.com> <20190226090732.66ea6332@pink.fritz.box> <71a3081f-a6b4-9a65-f3c7-9fb3e22fa0af@gmail.com>

Am Tue, 26 Feb 2019 09:18:09 -0800
schrieb N6Ghost <n6ghost@gmail.com>:

> On 2/26/2019 12:07 AM, Dieter Klünter wrote:
> > Am Mon, 25 Feb 2019 13:34:45 -0800
> > schrieb N6Ghost <n6ghost@gmail.com>:
> >  
> >> hi all,
> >>
> >> I am trying to setup an openldap proxy to AD and i need to use SUSE
> >> Enterprise Linux 12.
> >>
> >> Hostname:/etc/openldap # rpm -qa|grep -i openldap
> >> openldap2-2.4.41-18.43.1.x86_64
> >> openldap2-client-2.4.41-18.43.1.x86_64
> >>
> >> what I am trying to do, is proxy an application (with 1000s of
> >> users) from talking directory to AD, to talking to openldap. and
> >> then have openldap talk to AD.
> >> look across the net is a bunch of stuff,  but most of it does not
> >> seem to apply, or work.  look at the offical doc, says use sasl but
> >> you must have an local entry with a {sasl] tag on the user thats
> >> not really ideal and work make a huge problem.  a few of the posts
> >> online just said point to AD via ldap is possible? and this
> >> application also has a group lookup as part of its auth
> >> process...  eg, only member of groupX can access....
> >>
> >> any help in this would be huge.
> >>
> >>
> >> seems, i am mixing up a few different ways of doing this whats the
> >> bets way to do this?  
> > I presume you are running slapd with slapd-ldap(5) backend.
> > AD requires non standard attribute types, which openldap does not
> > provide. Include AD schema files into slapd.
> > RFC-4513 requires sasl for strong binds, if your AD is setup as KDC
> > you may include openldap services as kerberos host and service
> > pricipals.
> >
> > -Dieter  
> 
> where do i get the AD schema that's not in the schema directory. yea
> i was working with /etc/sldap.conf, but in openldap 2.4 it seems some 
> stuff has changed, and lots
> of very conflicting information on how to go about getting the proxy
> to AD, lost of posts say you can just have a config in sldap.conf,
> but that not only does not work
> but many of the items in those config dont work, and will not allow
> the service to even start.

There hasn't been changed much since openldap-2.1 with regard to
protocol requirements.
> 
> then there is the matter, where the official docs say you can pass
> thru, but the accounts needs a local openldap account with {sasl}
> taged. which for a large
> domain with 1000s of users is a pain.

That's why i did point to Kerberos. 

> > and it seems openldap is more of a solutions backend that has a 
> bazillion options.  and you build out a design and options, configs
> etc based on your needs.
> and you got to hunt down the how and whats supported etc, and you
> have to deal with the distros packaging....

Most of the options you refer to are built-in as default, that is,
only tweak configuration parameters that are required for your setup.

Just as a hint:
 ldapsearch -x -H ldap://path/to/AD -b "" -s base "(objectClass=*)" \
  namingContexts subschemaSubentry

search for subschemaSubentry attribute type.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- setting up openldap to proxy to AD on SUSE ENT 12
  - From: N6Ghost <n6ghost@gmail.com>
- Re: setting up openldap to proxy to AD on SUSE ENT 12
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: setting up openldap to proxy to AD on SUSE ENT 12
  - From: N6Ghost <n6ghost@gmail.com>

Prev by Date: Re: Expected operation of pwdFailureCountInterval
Next by Date: Re: setting up openldap to proxy to AD on SUSE ENT 12
Index(es):
- Chronological
- Thread