Re: setting up openldap to proxy to AD on SUSE ENT 12

[Dieter Klünter <dieter@dkluenter.de>]

Am Mon, 25 Feb 2019 13:34:45 -0800
schrieb N6Ghost <n6ghost@gmail.com>:

> hi all,
> 
> I am trying to setup an openldap proxy to AD and i need to use SUSE 
> Enterprise Linux 12.
> 
> Hostname:/etc/openldap # rpm -qa|grep -i openldap
> openldap2-2.4.41-18.43.1.x86_64
> openldap2-client-2.4.41-18.43.1.x86_64
> 
> what I am trying to do, is proxy an application (with 1000s of users) 
> from talking directory to AD, to talking to openldap. and then have 
> openldap talk to AD.
> look across the net is a bunch of stuff,  but most of it does not
> seem to apply, or work.  look at the offical doc, says use sasl but
> you must have an local entry with a {sasl] tag on the user thats not
> really ideal and work make a huge problem.  a few of the posts online
> just said point to AD via ldap is possible? and this application also
> has a group lookup as part of its auth process...  eg, only member of
> groupX can access....
> 
> any help in this would be huge.
> 
> 
> seems, i am mixing up a few different ways of doing this whats the
> bets way to do this?

I presume you are running slapd with slapd-ldap(5) backend.
AD requires non standard attribute types, which openldap does not
provide. Include AD schema files into slapd.
RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you
may include openldap services as kerberos host and service pricipals.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E