Hello everyone,
I am currently struggling with my OpenLDAP configuration (v2.5.13 on Debian 12). I want my OpenLDAP server to host a local database and to act as a proxy to an Active Directory database. Both databases should be merged to centralise authentication.
Through my research, I've discovered slapd-meta to merge multiple databases.
Here is a small schema of what I expect :
|--------> Local database (LDIF) "ou=local" META "dc=example,dc=com" ---| |--------> Proxy Active Directory "cn=Users,dc=addomain,dc=com"
I am able to regroup accounts from both Active Directory and local OpenLDAP databases within the same naming context "dc=example,dc=com".
Available accounts within "dc=example,dc=com" : - cn=userad,dc=example,dc=com (From Active Directory database) - cn=userldap,dc=example,dc=com (From local OpenLDAP database)
For my Windows devices, I use pGina to manage user authentication against my OpenLDAP server. Once pGINA is correctly configured, I can easily and quickly connect with all available accounts from AD and LDAP (userad et userldap).
My "only" problem is when the Active Directory server is down or unreachable. I am obviously no longer able to connect with Active Directory accounts. However, authentication with OpenLDAP accounts (userldap) becomes very slow and sometimes I can't connect.
In fact, OpenLDAP server keeps trying to reach Active Directory for every request even if it's unreachable. This behaviour seems to slow the OpenLDAP searches within the local LDAP database a lot.
I've tried implementing different types of timeout in order to stop reaching unreachable servers but it doesn't make the authentication for LDAP accounts go any faster.
Here is my slapd.conf :
#################BOF###################
### SCHEMAS
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/microsoft.minimal.schema include /etc/ldap/schema/rfc2307bis.schema
### MODULES modulepath /usr/lib/ldap #Path moduleload back_ldap #Module for ldap database moduleload back_meta #Module for meta database
### MAIN SETTINGS
pidfile /run/slapd/slapd.pid argsfile /run/slapd/slapd.args
### DATABASES DEFINITION
## GENERAL ##
## LOCAL DATABASE CONFIG ## database ldif suffix "ou=local" directory "/var/lib/ldap" rootdn "cn=ldapadm,ou=local" rootpw "*****"
access to * by dn="cn=admin,dc=example,dc=com" write by * read by * search
## MAIN DATABASE TO REGROUP BOTH REMOTE AND LOCAL DATABASE## database meta suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw "*****"
## PROXY TO LOCAL DB ## uri "ldap://127.0.0.1/dc=example,dc=com" lastmod off suffixmassage "dc=example,dc=com" "ou=local" rebind-as-user idassert-bind bindmethod=simple binddn="cn=ldapadm,ou=local" credentials="*****" mode=none idassert-authzFrom "*"
## PROXY TO Active Directory ## uri "ldap://AD-ip:389/dc=example,dc=com" readonly yes lastmod off suffixmassage "dc=example,dc=com" "cn=Users,dc=addomain,dc=com" protocol-version 3 rebind-as-user idassert-bind bindmethod=simple binddn="cn=Administrator,cn=Users,dc=addomain,dc=com" credentials="*****" mode=none flags=override idassert-authzFrom "*"
map attribute uid sAMAccountName
#################EOF###################
Any help or suggestion on how to authenticate with local OpenLDAP accounts even if the Active Directory server is down would be appreciated.
Have a good day.
Alexis