Hello everyone.
First of all, I'm a newbie in OpenLDAP Server administration (but not in Active Directory). Said that, this is my goal:
- set up an LDAP Front End-Server to a AD Back-End Server - and, so far, there are many infos about this.
But I wanna do it in an environment where there are many UX services which binding to AD Server, and any service of these needs ldap-client configuration, with insertion and storing of credential for binding. One of these is Dovecot which do ldap-authentication of any user of its by a typical fashion...
user: ad_username@my.ad psw: ad_username_password
Hence, I wish to avoid spreading of AD-binding-credentials gathering this couple of data in just one point of my system: that is, OpenLDAP proxy or SLAPD Front-End.
I've already tried to do it.
First of all, I got an error at installation stage which gave me crazy and I've not yet solved: i.e, after copy of DB_CONFIG example file to lib directory:
root@lamp ~# rm -fr /var/lib/ldap/* && rm -fr /etc/ldap/slapd.d/* && cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG
when I run:
root@lamp ~# slapadd -v -l xdom.ldif+
I get an error like the following:
52e1597b bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (14).
Even though DB_CONFING is there and has right permissions... Anyway, I discovered that this issues was not blocking, so I went forward.
I populate splap.d:
root@lamp ~# slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 52e280b2 bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (14). Expect poor performance for suffix "dc=xdom,dc=loc".
I gave right permission to directories:
root@lamp ~# chown -R openldap:openldap /etc/ldap/slapd.d/ && chown -R openldap:openldap /var/lib/ldap/
and I started LDAP Service:
root@lamp ~# service slapd start
At this time, I tested OpenLDAP Proxy Server by 5 combinations of ldap request:
1) bypassing OpenLDAP Proxy Server and directly binding AD Server by conventional D.N.:
ldapsearch -H ldap://server.my.ad -D "cn=ad_user,ou=ced,dc=my,dc=ad" -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"
and it works.
2) bypassing OpenLDAP Proxy Server and directly binding AD Server by U.P.N (User Principal Name):
ldapsearch -H ldap://server.my.ad -D ad_user@my.ad -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"
and it works.
3) through OpenLDAP Proxy Server without any binding:
ldapsearch -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"
and it works.
4) through OpenLDAP Proxy Server and binding by conventional D.N.:
ldapsearch -D "cn=ad_user,ou=ced,dc=my,dc=ad" -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"
and it works.
5) through OpenLDAP Proxy Server and binding by U.P.N (User Principal Name):
ldapsearch -D ad_user@my.ad -w ad_user_password -x -b "ou=ced,dc=my,dc=ad" - LLL "(sAMAccountName=*)"
and it DOES NOT works.
And it is a very BIG BIG problem for me: I cannot force users to authenticate themselves in Dovecot by complicated and unacceptable (because of comma, equal and space characters) D.N.!!!!
I tried to face this issue by Rewriting Overlay, just to discover that these library rewrite BINDDN only after "dnPrettyNormal()" call (making "rewriting- method" useless...)
Now, please: help me!!!! What can I do? How can I solve my issue??? And how can I avoid DB_CONFING issue?
Regards, Egidio.
PS: follow my ldap.conf and slapd.conf
## LDAP.CONF ####################################
BASE dc=xdom,dc=loc URI ldap://localhost TLS_CACERT /etc/ssl/certs/ca-certificates.crt
## SLAPD.CONF ####################################
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
logfile /var/log/slapd.log loglevel -1
modulepath /usr/lib/ldap
moduleload back_bdb moduleload back_ldap moduleload rwm
tool-threads 1
database bdb suffix "dc=xdom,dc=loc" checkpoint 1024 15 rootdn "cn=droot,dc=xdom,dc=loc" rootpw {SSHA}Xhy4Gc0k5DU+gfpbpkv+PJWJ92Itp5rJ
Database ldap Suffix "dc=ts,dc=dipvvf,dc=it" Uri "ldap://server.my.ad/ ldap://server2.my.ad/" rebind-as-user idassert-bind bindmethod=simple binddn="cn=email ed. demon,ou=email,ou=virtualization,ou=ced,dc=ts, dc=dipvvf,dc=it" credentials=xxxxxx mode=none
idassert-authzFrom "*"
overlay rwm rwm-rewriteEngine on rwm-rewriteMap ldap samacc "ldap://vfdc1.ts.dipvvf.it/dc=ts,dc=dipvvf,dc=it?dn? sub?samaccountname="
#"ldap:///dc=ts,dc=dipvvf,dc=it?dn?sub?samaccountname=" rwm-rewriteContext bindDN rwm-rewriteRule "^([^,]+)@[^,]+$" "${samacc($1)}" ":@I"