[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD



You are trying to authenticate through the credentials stored in your active directory servers, not the passwords stored in LDAP, correct?  If that is the case, then the easiest means to accomplish that are to use SASL for authentication.    


On Tue, Nov 19, 2013 at 12:59 PM, <wrm@cdtn.br> wrote:
Hi,
I´m with some troubles to do authentication in AD trough of Openldap.

Somebody managed to authenticate with AD password in Openldap Server?

I´m trying everything but don´t auth. I see all users but the password
don´t pass.


My slapd.conf like this :


#
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

#allow bind_v2

loglevel 256
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/lib/openldap
#moduleload      back_bdb
moduleload accesslog.la
moduleload auditlog.la
moduleload ppolicy.la
moduleload rwm.la
moduleload back_ldap

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

#######################################################################

database        ldap
suffix "dc=foobar"
rootdn "cn=admin,dc=foobar"
###################################
rootpw                  {SSHA}wXmTs2ANS4XwqqnzEVIqmc+i6VCUiD7I

database ldap
suffix dc=foobar,dc=com
#subordinate
rebind-as-user
uri     ldaps://srv-2003.foobar.com
idassert-bind   bindmethod=simple
binddn="cn=vmail,cn=users,dc=foobar,dc=com"
credentials=abc@123
mode=none
flags=non-prescriptive

idassert-authzFrom "dn.regex:.*"
#idassert-authzFrom "dn.exact:cn=admin,dc=foobar"
#
chase-referrals yes

require authc
#############################
###########password-hash {CLEARTEXT}
TLSCipherSuite HiGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSVerifyClient allow
sasl-host localhost
sasl-secprops none

#########################################################################
database config
# all others attributes are readable to everybody

access to *
        by * read

lastmod off

overlay rwm
rwm-suffixmassage dc=foobar,dc=com
#rwm-normalize-mapped-attrs
rwm-map attribute uid       sAMAccountName
rwm-map attribute cn        name
#rwm-map attribute mail      userPrincipalName
rwm-map objectclass account


What is wrong?

Please help me.

Thanks.












--
Jason K. Brandt
Systems Administrator
Bradley University
(309) 677-2958