Re: setting up openldap to proxy to AD on SUSE ENT 12

[Howard Chu <hyc@symas.com>]

Peter wrote:
> 
> Am 26.02.19 um 18:18 schrieb N6Ghost:
>>
>> On 2/26/2019 12:07 AM, Dieter Klünter wrote:
>>> Am Mon, 25 Feb 2019 13:34:45 -0800
>>> schrieb N6Ghost <n6ghost@gmail.com>:
>>>
>>>> hi all,
>>>>
>>>> I am trying to setup an openldap proxy to AD and i need to use SUSE
>>>> Enterprise Linux 12.
>>>>
>>>> Hostname:/etc/openldap # rpm -qa|grep -i openldap
>>>> openldap2-2.4.41-18.43.1.x86_64
>>>> openldap2-client-2.4.41-18.43.1.x86_64
>>>>
>>>> what I am trying to do, is proxy an application (with 1000s of users)
>>>> from talking directory to AD, to talking to openldap. and then have
>>>> openldap talk to AD.
>>>> look across the net is a bunch of stuff,  but most of it does not
>>>> seem to apply, or work.  look at the offical doc, says use sasl but
>>>> you must have an local entry with a {sasl] tag on the user thats not
>>>> really ideal and work make a huge problem.  a few of the posts online
>>>> just said point to AD via ldap is possible? and this application also
>>>> has a group lookup as part of its auth process...  eg, only member of
>>>> groupX can access....
>>>>
>>>> any help in this would be huge.
>>>>
>>>>
>>>> seems, i am mixing up a few different ways of doing this whats the
>>>> bets way to do this?
>>> I presume you are running slapd with slapd-ldap(5) backend.
>>> AD requires non standard attribute types, which openldap does not
>>> provide. Include AD schema files into slapd.
>>> RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you
>>> may include openldap services as kerberos host and service pricipals.
>>>
>>> -Dieter
>>
>> where do i get the AD schema that's not in the schema directory. 
> See Quannah's response
>> yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems
>> some stuff has changed, 
> May be you mean the option to put the configuration in the LDAP data
> (below cn=config) instead of using slapd.conf. You can still use the
> latter though.
>> and lots
>> of very conflicting information on how to go about getting the proxy
>> to AD, lost of posts say you can just have a config in sldap.conf, but
>> that not only does not work
>> but many of the items in those config dont work, and will not allow
>> the service to even start.
>>
>> then there is the matter, where the official docs say you can pass
>> thru, but the accounts needs a local openldap account with {sasl}
>> taged. which for a large
>> domain with 1000s of users is a pain.
> 
> So there are several possibilites to integrate OL and AD:
> 
> 1.) What you are referring to is a pass through authentication, where
> all data are managed in OL except the password, i.e. bind requests
> (authentication) is proxied to AD. This is done by including
> 
> {SASL}username@realm in the userpassword attribute. If you have the AD
> username in OL already, this can be done with a script quite easily.
> 
> 2.) using only the data in AD and let OL proxy everything. This can be
> done via ldap backend or meta backend both in combination with rwm
> overlay. Here you need to include the AD schema pointed by Quanah
> 
> 3.) the kerberos based solution mentioned by Dieter
> 
> 4.) you can also have a look at the translucent proxy overlay
> 
> Which solution ios best for you depends on your requirements.

Don't forget slapo-pbind.


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/