Hello,
Sorry, I tried posting this yesterday but it didn't seem to make it on the list - trying again.
I currently have
OpenLDAP (2.4.28) running on a Linux box with a local database and a meta
backend which represents the local database along with a remote Active
Directory server (2008 R2). Below is a snapshot of my slapd.conf.
#------------------------------------------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
loglevel -1
modulepath /usr/lib/openldap/
allow bind_v2
database bdb
suffix "dc=local,dc=example,dc=com"
directory /var/lib/ldap
rootdn "cn=root,dc=local,dc=example,dc=com"
rootpw secret
database meta
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw secret
## Local
uri ldap://localhost/ou=Users,dc=local,dc=example,dc=com
idassert-bind bindmethod=simple binddn="cn=root,dc=local,dc=example,dc=com" credentials=secret
##Remote Active Directory
uri ldap://ad.example.com/cn=Users,dc=example,dc=com
idassert-bind bindmethod=simple
binddn="cn=sync,cn=users,dc=example,dc=com"
credentials=secret
# tls_cacert=/etc/openldap/cacerts/ad-ca.cer
#
tls_cert=/etc/openldap/local.pem
# tls_key=/etc/openldap/local.key
#-----------------------------------------------------------
When I run the following command:
ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret -b " dc=example,dc=com " -H ldap://localhost
Everything
works as expected with the above config , meaning I see the local and
remote/proxied entries on AD with the root credentials specified above.
Logs on AD indicate that a user sync preformed a search. As I
understand, id-assertion is working??
Now if I change the remote entry to the following (enable ssl):
##Remote Active Directory
uri ldaps://ad.example.com/cn=Users,dc=example,dc=com
idassert-bind bindmethod=simple
binddn="cn=sync,cn=users,dc=example,dc=com"
credentials=secret
tls_cacert=/etc/openldap/cacerts/ad-ca.cer
tls_cert=/etc/openldap/local.pem
tls_key=/etc/openldap/local.key
The
same command (ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret
-b " dc=example,dc=com " -H ldap://localhost) binds locally
successfully but does not list any remote attributes from AD.
Verbose
logging enabled on Active Directory indicates an anonymous bind and
subsequent failure. This is what I'm trying to understand.
However,
if I search using an account that resides on the AD server (-D "
cn=sync,cn=users,dc=example,dc=com" -w secret) it works and the traffic
is encrypted. The root account "seems" to be ignored when it comes to
the assertion butonly when ssl is enabled.
Now, if I use TLS instead,
##Remote Active Directory
uri ldap://ad.example.com/cn=Users,dc=example,dc=com
tls
start
idassert-bind bindmethod=simple
binddn="cn=sync,cn=users,dc=example,dc=com"
credentials=secret
tls_cacert=/etc/openldap/cacerts/ad-ca.cer
tls_cert=/etc/openldap/local.pem
tls_key=/etc/openldap/local.key
Everything
works, and I see the remote entries in AD using the meta root
credentials. I've verified the network traffic to ensure it was indeed
encrypted. I've
also verified that using ldapsearch directly (ex: -H
ldaps://ad.exmaple.com) to AD and it also functions as intended. I did
play around with slapd-ldap and it seemed behave the same as meta
regarding ldaps. In my eyes, something in my configuration makes the
proxy seemingly ignore ldaps entries. Hopefully I didn't miss anything
painfully
obvious in the docs :)
Thanks,