Hello everyone,
I am currently struggling with my OpenLDAP configuration (v2.5.13 on Debian 12). I want my OpenLDAP server to host a local database and to act as a proxy to an Active Directory database. Both databases should be merged to centralise authentication.
Through my research, I've discovered slapd-meta to merge multiple databases.
Here is a small schema of what I expect :
|--------> Local database (LDIF) "ou=local"
META "dc=example,dc=com" ---|
|--------> Proxy Active Directory "cn=Users,dc=addomain,dc=com"
I am able to regroup accounts from both Active Directory and local OpenLDAP databases within the same naming context "dc=example,dc=com".
Available accounts within "dc=example,dc=com" :
- cn=userad,dc=example,dc=com (From Active Directory database)
- cn=userldap,dc=example,dc=com (From local OpenLDAP database)
For my Windows devices, I use pGina to manage user authentication against my OpenLDAP server. Once pGINA is correctly configured, I can easily and quickly connect with all available accounts from AD and LDAP (userad et userldap).
My "only" problem is when the Active Directory server is down or unreachable. I am obviously no longer able to connect with Active Directory accounts. However, authentication with OpenLDAP accounts (userldap) becomes very slow and sometimes I can't connect.
In fact, OpenLDAP server keeps trying to reach Active Directory for every request even if it's unreachable. This behaviour seems to slow the OpenLDAP searches within the local LDAP database a lot.
I've tried implementing different types of timeout in order to stop reaching unreachable servers but it doesn't make the authentication for LDAP accounts go any faster.
Here is my slapd.conf :
#################BOF###################
### SCHEMAS
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/microsoft.minimal.schema
include /etc/ldap/schema/rfc2307bis.schema
### MODULES
modulepath /usr/lib/ldap #Path
moduleload back_ldap #Module for ldap database
moduleload back_meta #Module for meta database
### MAIN SETTINGS
pidfile /run/slapd/slapd.pid
argsfile /run/slapd/slapd.args
### DATABASES DEFINITION
## GENERAL ##
## LOCAL DATABASE CONFIG ##
database ldif
suffix "ou=local"
directory "/var/lib/ldap"
rootdn "cn=ldapadm,ou=local"
rootpw "*****"
access to *
by dn="cn=admin,dc=example,dc=com" write
by * read
by * search
## MAIN DATABASE TO REGROUP BOTH REMOTE AND LOCAL DATABASE##
database meta
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw "*****"
## PROXY TO LOCAL DB ##
uri "ldap://127.0.0.1/dc=example,dc=com"
lastmod off
suffixmassage "dc=example,dc=com" "ou=local"
rebind-as-user
idassert-bind bindmethod=simple
binddn="cn=ldapadm,ou=local"
credentials="*****"
mode=none
idassert-authzFrom "*"
## PROXY TO Active Directory ##
uri "ldap://AD-ip:389/dc=example,dc=com"
readonly yes
lastmod off
suffixmassage "dc=example,dc=com" "cn=Users,dc=addomain,dc=com"
protocol-version 3
rebind-as-user
idassert-bind bindmethod=simple
binddn="cn=Administrator,cn=Users,dc=addomain,dc=com"
credentials="*****"
mode=none
flags=override
idassert-authzFrom "*"
map attribute uid sAMAccountName
#################EOF###################
Any help or suggestion on how to authenticate with local OpenLDAP accounts even if the Active Directory server is down would be appreciated.
Have a good day.
Alexis