[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: not getting ldap proxy to AD working... please help

To: openldap-technical@openldap.org
Subject: Re: not getting ldap proxy to AD working... please help
From: Dieter Klünter <dieter@dkluenter.de>
Date: Wed, 2 Oct 2019 09:38:12 +0200
In-reply-to: <CANjKXcXeB-SZmn3jkHY00k2AvNfQaRV38D+Z9wAB=hNjmrUneA@mail.gmail.com>
Organization: AVCI
References: <CANjKXcXeB-SZmn3jkHY00k2AvNfQaRV38D+Z9wAB=hNjmrUneA@mail.gmail.com>

Am Tue, 1 Oct 2019 18:35:16 +1000
schrieb Drikus Brits <drikusinaus@gmail.com>:

> Heya experts.
> 
> I need some guidance. I am having difficulty deploying my
> requirements. I need to deploy a couple of U18 servers/containers.
> These servers all needs to authenticate with LDAP accounts that is
> active and in a certain group on AD, but the IT team doesn't want to
> allow IPs and ports from servers across the network and so I have to
> set up a ldap proxy that will speak to AD on behalf of all the other
> machines eg jumphost. The windows AD cannot be modified to add extra
> groups eg posixAccount, uidNumber, gidNumber, loginShell,
> homeDirectory etc.
> 
> I can successfully run a ldapsearch from the proxy machine to the AD
> and query a user based on the sAMAccountName and am getting successful
> results back from AD. However, when the jumphost (proxy set as ldap
> authhost) tries to authenticate with the proxy, then I see the request
> coming in from the jumphost to ldap proxy, and see the ldap proxy
> sending the request to the windows AD, but it forwards the same
> details as it sent to the local to the remote; eg
> objectClass=posixAccount, uid=testuser. This doesn't exist on the AD
> and so returns no result. I've tried to do rewrites and according to
> the packet captures, saw that the rewrite was working somewhat. I was
> able to rewrite uid to sAMAccountName, but not sure what to rewrite
> the posixAccount to....
> 
> So ideally what I'd like to see happening is that :
> 
>  1) user logs onto jumphost with username "testuser"
> 2) user lookup & authentication goes to ldap_proxy
> 3) ldap_proxy send request to AD to check if user exists and is active
> and match against the password
> 4) upon username=exists, is=active, password=ok return the result to
> ldap_proxy 5) ldap_proxy returns the necessary to jumphost eg;
>                 a) posixAccount
>                 b) homeDirectory
>                 c) loginShell
> 
> I've tried following a couple of different options to make it work,
> but right now I'm not sure which option is the correct one eg; (mdb
> config + ldap backend) or (meta + ldap backend ) or ( ldap +  pcache )
> and whether to rewrite or not to rewrite. From my understanding, I am
> looking for something that sounds like a meta setup that combines the
> local and remote data...is my understanding correct?
> 
> I've seen this working at a previous employer but not sure whether
> their AD was modified and that is why it was working there, or whether
> the solution is workable without having to force the IT guys' hand and
> add extra vars..
> 
> I've scouted the openldap mailing list as well for answers but there
> is a plethora of no replies and some replies that somewhat matches
> what I'm trying to do...
> 
> Any guidance would be super appreciated
> 
Create a private schema based on AD attribute types and load this
schema to ldap proxy.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: not getting ldap proxy to AD working... please help
  - From: Drikus Brits <drikusinaus@gmail.com>

References:
- not getting ldap proxy to AD working... please help
  - From: Drikus Brits <drikusinaus@gmail.com>

Prev by Date: not getting ldap proxy to AD working... please help
Next by Date: Lazy quantifiers in regex ACLs??
Index(es):
- Chronological
- Thread