not getting ldap proxy to AD working... please help
by Drikus Brits
Heya experts.
I need some guidance. I am having difficulty deploying my
requirements. I need to deploy a couple of U18 servers/containers.
These servers all needs to authenticate with LDAP accounts that is
active and in a certain group on AD, but the IT team doesn't want to
allow IPs and ports from servers across the network and so I have to
set up a ldap proxy that will speak to AD on behalf of all the other
machines eg jumphost. The windows AD cannot be modified to add extra
groups eg posixAccount, uidNumber, gidNumber, loginShell,
homeDirectory etc.
I can successfully run a ldapsearch from the proxy machine to the AD
and query a user based on the sAMAccountName and am getting successful
results back from AD. However, when the jumphost (proxy set as ldap
authhost) tries to authenticate with the proxy, then I see the request
coming in from the jumphost to ldap proxy, and see the ldap proxy
sending the request to the windows AD, but it forwards the same
details as it sent to the local to the remote; eg
objectClass=posixAccount, uid=testuser. This doesn't exist on the AD
and so returns no result. I've tried to do rewrites and according to
the packet captures, saw that the rewrite was working somewhat. I was
able to rewrite uid to sAMAccountName, but not sure what to rewrite
the posixAccount to....
So ideally what I'd like to see happening is that :
1) user logs onto jumphost with username "testuser"
2) user lookup & authentication goes to ldap_proxy
3) ldap_proxy send request to AD to check if user exists and is active
and match against the password
4) upon username=exists, is=active, password=ok return the result to ldap_proxy
5) ldap_proxy returns the necessary to jumphost eg;
a) posixAccount
b) homeDirectory
c) loginShell
I've tried following a couple of different options to make it work,
but right now I'm not sure which option is the correct one eg; (mdb
config + ldap backend) or (meta + ldap backend ) or ( ldap + pcache )
and whether to rewrite or not to rewrite. From my understanding, I am
looking for something that sounds like a meta setup that combines the
local and remote data...is my understanding correct?
I've seen this working at a previous employer but not sure whether
their AD was modified and that is why it was working there, or whether
the solution is workable without having to force the IT guys' hand and
add extra vars..
I've scouted the openldap mailing list as well for answers but there
is a plethora of no replies and some replies that somewhat matches
what I'm trying to do...
Any guidance would be super appreciated
3 years, 4 months
Lazy quantifiers in regex ACLs??
by Jon C Kidder
Does the regex engine in OpenLDAP not support lazy quantifiers? Why does the ACL processing in this log show only one capture group as if the lazy quantifier in the first capture group isn't recognized? Every tester I plug this regex into produces 2 capture groups which is what I need. I need to carve off the leading OU as one capture group and capture the remaining chain of OUs as the second group then re-use both in my ACLs. Any suggestions for creating a regex that would produce the desired capture groups for use in my ACLs?
5d94aa15 => dnpat: [18] (ou=.+?,)?(ou=.+,)?ou=Delegated,ou=ApplicationData,dc=global,dc=aep,dc=com$ nsub: 2
5d94aa15 => acl_get: [18] matched
5d94aa15 => acl_get: [18] attr entry
5d94aa15 => match[dn0]: 0 95 ou=testapplication,ou=bolt,ou=concourse,ou=delegated,ou=applicationdata,dc=global,dc=aep,dc=com
5d94aa15 => match[dn1]: 0 40 ou=testapplication,ou=bolt,ou=concourse,
3 years, 4 months