Excellent... I am now able to simulate the process that the external application will use: - Bind to OpenLDAP server using AD service account.- Search for DN of user account using sAMAccountName filter.- Bind to OpenLDAP server using DN and password of user account to provide auth for application. How can I limit what data is accessible via search? Since all I am trying to do is check user/pass, the only thing I'd like to allow returned to the client is the DN. I've tried with 'rwm-map attribute *' per a few documents I found, but I don't get anything returned via my LDAP search with that in the config (I've tried lots of different combos above that to allow data, then block all other data). Now that I think I've got this working for the most part... what are some best security practices for this setup?
Date: Wed, 15 Oct 2014 01:50:02 +0100 From: hyc@symas.com To: jeflebo@outlook.com; openldap-technical@openldap.org Subject: Re: OpenLDAP as proxy to Active Directory backend
Jeff Lebo wrote:
Goal: LDAP server in Internet facing DMZ to provide authentication for externally hosted applications using internal AD credentials.
I've done a LOT of reading and testing, and there is one thing I am still not 100% clear on:
Is it possible to do this WITHOUT having a local user database on the OpenLDAP proxy? We will have thousands of users that will need to authenticate, and I can't maintain another user database (adds, removes, etc..). Is there a way to make OpenLDAP just act more like a reverse proxy and forward anything that matches a specific domain on to the internal LDAP/AD server for password verification?
That's exactly what back-ldap does. A couple other posts have already pointed you to its manpage/documentation. Everything else mentioned so far (SASL passthrough) is misdirection.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/