Am 26.02.19 um 18:18 schrieb N6Ghost:
On 2/26/2019 12:07 AM, Dieter Klünter wrote:
Am Mon, 25 Feb 2019 13:34:45 -0800 schrieb N6Ghost n6ghost@gmail.com:
hi all,
I am trying to setup an openldap proxy to AD and i need to use SUSE Enterprise Linux 12.
Hostname:/etc/openldap # rpm -qa|grep -i openldap openldap2-2.4.41-18.43.1.x86_64 openldap2-client-2.4.41-18.43.1.x86_64
what I am trying to do, is proxy an application (with 1000s of users) from talking directory to AD, to talking to openldap. and then have openldap talk to AD. look across the net is a bunch of stuff, but most of it does not seem to apply, or work. look at the offical doc, says use sasl but you must have an local entry with a {sasl] tag on the user thats not really ideal and work make a huge problem. a few of the posts online just said point to AD via ldap is possible? and this application also has a group lookup as part of its auth process... eg, only member of groupX can access....
any help in this would be huge.
seems, i am mixing up a few different ways of doing this whats the bets way to do this?
I presume you are running slapd with slapd-ldap(5) backend. AD requires non standard attribute types, which openldap does not provide. Include AD schema files into slapd. RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you may include openldap services as kerberos host and service pricipals.
-Dieter
where do i get the AD schema that's not in the schema directory.
See Quannah's response
yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems some stuff has changed,
May be you mean the option to put the configuration in the LDAP data (below cn=config) instead of using slapd.conf. You can still use the latter though.
and lots of very conflicting information on how to go about getting the proxy to AD, lost of posts say you can just have a config in sldap.conf, but that not only does not work but many of the items in those config dont work, and will not allow the service to even start.
then there is the matter, where the official docs say you can pass thru, but the accounts needs a local openldap account with {sasl} taged. which for a large domain with 1000s of users is a pain.
So there are several possibilites to integrate OL and AD:
1.) What you are referring to is a pass through authentication, where all data are managed in OL except the password, i.e. bind requests (authentication) is proxied to AD. This is done by including
{SASL}username@realm in the userpassword attribute. If you have the AD username in OL already, this can be done with a script quite easily.
2.) using only the data in AD and let OL proxy everything. This can be done via ldap backend or meta backend both in combination with rwm overlay. Here you need to include the AD schema pointed by Quanah
3.) the kerberos based solution mentioned by Dieter
4.) you can also have a look at the translucent proxy overlay
Which solution ios best for you depends on your requirements.
Of course yet another solution might be that you introduce a proper identity management system that provisions AD and OL as target systems...
Hope this helps clarify things.
Cheers,
Peter
and it seems openldap is more of a solutions backend that has a bazillion options. and you build out a design and options, configs etc based on your needs. and you got to hunt down the how and whats supported etc, and you have to deal with the distros packaging....
-N6Ghost