[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as Proxy





Le 21/08/2017 à 16:51, Palacios, Christian a écrit :

Hi there,

 

We need to find out if OpenLDAP will allow us to use it as a proxy so it can retrieve users from three different Windows Active Directory Domains?  These three domains do not have any similar users.  The user retrieval process needs to work like this:

 

-          The application that needs this LDAP connection will point to the OpenLDAP server using an LDAP address such as ldap://server.example.com:389/OU=users…etc

-          This application will also need to retrieve the sAMAccountName from each user retrieved via the OpenLDAP server

-          The application’s LDAP connection settings also need to specify an Administrator’s DN and password, but I’m confused about this because I don’t know what Administrator account to use.  Like I said, each domain has their own set of users so they don’t have any Administrator accounts in common.  How would this work? 

 

If you need any more information, please let me know!!


Hello Christian,

I am implementing such service for a customer right now.

You need to use OpenLDAP back-meta and define a uri parameter for each AD. In this uri parameter, you will be able to set which account is used to request AD.

Here is a very simple configuration sample:

----
database    meta
suffix      "dc=example,dc=com"
rootdn      "cn=manager,dc=example,dc=com"
rootpw      secret

uri     ldap://ad1.example.com/dc=ad1,dc=example,dc=com
suffixmassage dc=ad1,dc=example,dc=com dc=acme,dc=com
idassert-bind bindmethod="simple" binddn="cn=demo,cn=Users,dc=acme,dc=com" credentials="secret" mode="self" flags="non-prescriptive"

overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute * *
----

You can also find some hints on back-meta configuration on this page: https://ltb-project.org/documentation/general/sasl_delegation or with OpenLDAP manpage : man slapd-meta


Another solution is to create a central LDAP Directory by synchronizing data from all AD into it. The LSC project can help you to do that: https://lsc-project.org/documentation/start


Hope it helps,
-- 
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot