Re: slapd.conf for proxy to AD

[Del <del@babel.com.au>]

Just to elaborate on some of my own points below:

> Like a lot of people I guess, I'm having trouble configuring slapd to
> work as a proxy server in front of Microsoft's Active Directory. AD in
> this case is configured to refuse to allow anonymous searches but I want
> to allow anonymous searches on the proxy. Therefore the configuration
> I'm hoping for is:
>
> * Anonymous binds to slapd get translated into an authenticated bind to AD.
> * Authenticated binds to slapd have their credentials (DN and password)
> passed through to AD.

According to man slapd-ldap, which says:

       idassert-bind    bindmethod=none|simple|sasl    [binddn=<simple    DN>]
              [credentials=<simple    password>]    [saslmech=<SASL     mech>]
              [secprops=<properties>] [realm=<realm>] [authcId=<authentication
              ID>]  [authzId=<authorization  ID>]  [authz={native|proxyauthz}]
              [mode=<mode>]     [flags=<flags>]     [starttls=no|yes|critical]
              [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
              [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
              [tls_ciphersuite=<ciphers>]         [tls_protocol_min=<version>]
              [tls_crlcheck=none|peer|all]

              Allows  to  define  the  parameters of the authentication method
              that is internally used by the proxy  to  authorize  connections
              that are authenticated by other databases.  The identity defined
              by this directive, according to the properties associated to the
              authentication  method,  is  supposed to have auth access on the
              target server to attributes used on the proxy for authentication
              and  authorization,  and  to  be allowed to authorize the users.
              This requires to have proxyAuthz privileges on  a  wide  set  of
              DNs,  e.g.  authzTo=dn.subtree:"", and the remote server to have
              authz-policy set to to or both.  See slapd.conf(5)  for  details
              on  these  statements  and for remarks and drawbacks about their
              usage.  The supported bindmethods are

So it seems that this is the parameter I want.

              none|simple|sasl

              where none  is  the  default,  i.e.  no  identity  assertion  is
              performed.

I think I need "simple" here because I want OpenLDAP to do a simple bind (non-SASL) to AD.

...
              The supported modes are:

              <mode> := {legacy|anonymous|none|self}

              If <mode> is not present, and authzId is given, the proxy always
              authorizes that identity.  <authorization ID> can be

              u:<user>

              [dn:]<DN>

              The former is supposed to  be  expanded  by  the  remote  server
              according to the authz rules; see slapd.conf(5) for details.  In
              the latter case, whether or not the dn: prefix is  present,  the
              string must pass DN validation and normalization.

              The  default  mode  is legacy, which implies that the proxy will
              either perform a simple bind as the authcDN or a  SASL  bind  as
              the  authcID  and  assert  the  client’s identity when it is not
              anonymous.  Direct binds are always proxied.   The  other  modes
              imply that the proxy will always either perform a simple bind as
              the authcDN or a SASL bind as the authcID, unless restricted  by
              idassert-authzFrom   rules   (see  below),  in  which  case  the
              operation will fail;  eventually,  it  will  assert  some  other
              identity  according  to  <mode>.

It seems to me that I want mode=legacy according to this.  I want it to perform a simple bind 
as some ID (VALID-BIND-DN below) when the client is anonymous, but assert the client's identity 
when it is not anonymous.

I have to say that the language of the manual here is far from clear.  It doesn't actually 
define what is meant by "authcDN" for example, I'm only assuming that that means the "<simple 
DN>" given as the argument to the binddn option of this parameter.  Also it could skip the 
double negatives.

However it doesn't appear to work.  Any ideas?

> Here's what I have so far, based on the documentation. I'm using
> slapd.conf rather than the new conf.d directory based config, and I'm
> currently running openldap 2.4.19:
>
> --
> database ldap
> chase-referrals no
> suffix "MY-AD-SUFFIX-HERE"
> uri "ldaps://MY-AD-SERVER-HERE/"
> cancel abandon
>
> acl-bind bindmethod=simple binddn="VALID-BIND-DN"
> credentials="VALID-PASSWORD"
>
> idassert-bind bindmethod=simple binddn="VALID-BIND-DN
> credentials="VALID-PASSWORD" mode=legacy flags=non-prescriptive
>
> idassert-authzFrom "dn.regex:.*"
>
> access to * by * read
> --
>
> You can assume I've used valid bind DNs, suffixes, server names and
> passwords in the places where I've resorted to capitals above. I've
> tested these binds from the command line directly against the AD server
> and they all work.
>
> I have tested the above on OpenLDAP 2.3, it works for anonymous binds if
> and only if a successful authenticated bind is done first. The same was
> reported in this post:
>
> http://www.openldap.org/lists/openldap-technical/200907/msg00043.html
>
> In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all
> attempts at anonymous bind seem to fail. A similar problem was reported
> while upgrading to 2.3.11 to 2.3.27, here:
>
> http://www.openldap.org/lists/openldap-software/200701/msg00055.html
>
> Am I using the correct configuration directives to achieve what I want,
> and if not what should I be using?
>
> Thanx,


--
Del