[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: not getting ldap proxy to AD working... please help
- To: Dieter Klünter <dieter@dkluenter.de>
- Subject: Re: not getting ldap proxy to AD working... please help
- From: Drikus Brits <drikusinaus@gmail.com>
- Date: Tue, 8 Oct 2019 10:14:43 +1100
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=t9f5tqjWXDYpM6bmGh6kKgsnGCuXddYP69j2dIkRHjw=; b=mBnxyNrOZ+t0WKUT1ve6QnErngYEkDIZB2Gu8qRjz0X6aOEkZP034wev55xrrqaFVF X3/yxm/vi96a1Y9ICULUorrgpVOusyjRNa6mLNeinapYQuSyL06T+8VvQBsIA9JCVjMt ma5PAkZ5aufqS9SI8Xw5euMZeVdGV3W4VP/OqlYs1vTBd/ymAY2P4hx8WXDozFsmXAz1 H7QoTDIIPmg9D2xm5IpTYqQfIr6Lwnuq4XYqcGxLNomDrR3j0hc/6wG0Xu2J0HKSy6ft T5gDbmnRlg0z4BX/YWxLi9uwPyUm4ZsxZcQWsY/K2SzLJeHRzOYzz+NrfScNwDkg5VMo Lk5w==
- In-reply-to: <20191002093812.486c40e5@pink.fritz.box>
- References: <CANjKXcXeB-SZmn3jkHY00k2AvNfQaRV38D+Z9wAB=hNjmrUneA@mail.gmail.com> <20191002093812.486c40e5@pink.fritz.box>
thanks, i'll try that.
On Wed, Oct 2, 2019 at 5:40 PM Dieter Klünter <dieter@dkluenter.de> wrote:
>
> Am Tue, 1 Oct 2019 18:35:16 +1000
> schrieb Drikus Brits <drikusinaus@gmail.com>:
>
> > Heya experts.
> >
> > I need some guidance. I am having difficulty deploying my
> > requirements. I need to deploy a couple of U18 servers/containers.
> > These servers all needs to authenticate with LDAP accounts that is
> > active and in a certain group on AD, but the IT team doesn't want to
> > allow IPs and ports from servers across the network and so I have to
> > set up a ldap proxy that will speak to AD on behalf of all the other
> > machines eg jumphost. The windows AD cannot be modified to add extra
> > groups eg posixAccount, uidNumber, gidNumber, loginShell,
> > homeDirectory etc.
> >
> > I can successfully run a ldapsearch from the proxy machine to the AD
> > and query a user based on the sAMAccountName and am getting successful
> > results back from AD. However, when the jumphost (proxy set as ldap
> > authhost) tries to authenticate with the proxy, then I see the request
> > coming in from the jumphost to ldap proxy, and see the ldap proxy
> > sending the request to the windows AD, but it forwards the same
> > details as it sent to the local to the remote; eg
> > objectClass=posixAccount, uid=testuser. This doesn't exist on the AD
> > and so returns no result. I've tried to do rewrites and according to
> > the packet captures, saw that the rewrite was working somewhat. I was
> > able to rewrite uid to sAMAccountName, but not sure what to rewrite
> > the posixAccount to....
> >
> > So ideally what I'd like to see happening is that :
> >
> > 1) user logs onto jumphost with username "testuser"
> > 2) user lookup & authentication goes to ldap_proxy
> > 3) ldap_proxy send request to AD to check if user exists and is active
> > and match against the password
> > 4) upon username=exists, is=active, password=ok return the result to
> > ldap_proxy 5) ldap_proxy returns the necessary to jumphost eg;
> > a) posixAccount
> > b) homeDirectory
> > c) loginShell
> >
> > I've tried following a couple of different options to make it work,
> > but right now I'm not sure which option is the correct one eg; (mdb
> > config + ldap backend) or (meta + ldap backend ) or ( ldap + pcache )
> > and whether to rewrite or not to rewrite. From my understanding, I am
> > looking for something that sounds like a meta setup that combines the
> > local and remote data...is my understanding correct?
> >
> > I've seen this working at a previous employer but not sure whether
> > their AD was modified and that is why it was working there, or whether
> > the solution is workable without having to force the IT guys' hand and
> > add extra vars..
> >
> > I've scouted the openldap mailing list as well for answers but there
> > is a plethora of no replies and some replies that somewhat matches
> > what I'm trying to do...
> >
> > Any guidance would be super appreciated
> >
> Create a private schema based on AD attribute types and load this
> schema to ldap proxy.
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E
>