[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap proxy to AD

To: "Induni, Marco" <Marco.Induni@rsi.ch>
Subject: Re: openldap proxy to AD
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Tue, 03 Apr 2012 18:12:00 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <0E7D1101C98E914EB3838D4B424F518F027FE61E@ARESEXCH.rtsi.ch>
References: <0E7D1101C98E914EB3838D4B424F518F027FE61E@ARESEXCH.rtsi.ch>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1

On 03/04/12 16:47, Induni, Marco wrote:
> Hi all,
> I'm building an openldap proxy to an AD server and adding a little of
> "intelligence" based on the client request.
> 
> Unfortunately the client/program asking information about an account,
> need to be setup with user and password.
> There is a way to let the proxy "ignore" this user and password and
> instead just use the ones specified on the slapd.conf file ?
> Or setup fake credential somewhere ?
> 
> 
> In detail, query are something like:
>  
> ldapsearch -x -h openldap-proxy -w "secret" -D
> "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int"
> userPrincipalName=TST-USER10
> 
> but I need that the proxy exclude the "-w "secret" -D
> "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" part, and use the one on the
> conf file.
> In fact if I do a query like:
> 
> ldapsearch -x -h openldap-proxy -w "secret" -D
> "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int"
> userPrincipalName=TST-USER10
> it works.
> 
> 
> Here the slapd.conf
> 
> database        meta
> suffix          "dc=pmm,dc=int"
> 
> uri             "ldap://10.10.10.1/dc=pmm,dc=int";
> suffixmassage   "dc=pmm,dc=int" "dc=media,dc=int"
> 
> rewriteContext  searchFilter
> rewriteRule "userPrincipalName=(.*)@rtsi.ch"
> "userPrincipalName=%1@rsi.ch"  ":"
> rewriteRule "sAMAccountName=([:alnum:])" "userPrincipalName=%1@rtr.ch"
> ":"
> 
> idassert-bind
>         bindmethod=simple
>  
> binddn="CN=svc-adread05,CN=AdminAccounts,OU=RSI,OU=Units,DC=media,DC=int
> "
>         credentials="Comano2012"
>         mode=self
> idassert-authzFrom "dn.regex:.*"
> 
> 
> 
> 
> Any idea ?

You can configure the ldap and meta backends to use a different
authentication for the outgoing connection to the proxied server by
setting mode=none in the idassert-bind directive. For example:

idassert-bind bindmethod=simple binddn="cn=proxyuser,dc=ad,dc=com"
credentials=secret mode=none

Will cause all connections to the proxied LDAP server to use those
credentials. Is this what you're trying to achieve?

Jonathan
-- 
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

Follow-Ups:
- R: openldap proxy to AD
  - From: "Induni, Marco" <Marco.Induni@rsi.ch>

References:
- openldap proxy to AD
  - From: "Induni, Marco" <Marco.Induni@rsi.ch>

Prev by Date: Re: Convert *.schema to *.ldif
Next by Date: Re: Password expiration
Index(es):
- Chronological
- Thread