Hi Howard,

Thank you for your response.  Could you possibly provide an example ldap.conf and slapd.conf?  I have tried reading the man pages as noted and just can't seem to find the right combinations.

The reason for 4 is to verify the password for the given username.

The plan is to have a server connect to this OpenLDAP proxy, be verified only by it's connecting client certificate (not a username and password), do a user DN search (that will be conducted by the proxy using the configured credentials in the proxy), and then attempt to rebind with that resulting user DN.  If the rebind is successful, then access the user is granted.

David Cunningham | Sr. Systems Manager
CherryRoad Technologies Inc.
DCunningham@cherryroad.com
           

                     

Secure, Cloud-Based, Solutions Enabling Government Continuity

********************** IMPORTANT--PLEASE READ ***********************
This message and attachments are COMPANY CONFIDENTIAL. If you are not the intended
recipient, you are hereby notified that the information included is unauthorized and strictly
prohibited. If you have received this message in error, please immediately notify the sender and
permanently delete this message and its attachments. Thank you.
************************************************************************


-----Original Message-----
From: Howard Chu <hyc@symas.com>
Sent: Thursday, January 28, 2021 9:11 AM
To: David Cunningham <DCunningham@cherryroad.com>; openldap-technical@openldap.org
Subject: Re: OpenLDAP proxy to AD with client certificates

David Cunningham wrote:
> Hello,
>
> I would like to configure slaps.conf to proxy requests to an AD server.
>
> 1.) I want SLAPD to always connect to this AD server as a specific user
> 2.) I want SLAPD to run all queries including searches against this AD server using the defined user.
> 3.) I want clients connecting to SLAPD to query AD to be authenticated by revokable client certificate only.  If the connecting client has a valid certificate that matches a CA, then it���s LDAP query is allowed and proxied to Active Directory.
> 4.) The client should also be able to rebind as user after doing a user DN search (to verify username/password).
>
>
> Does that make sense?

Sure. Read the slapd-ldap(5) manpage for 1 and 2. Read slapd.conf(5) for 3.

4 doesn't make sense after already authenticating via 3 but sure, you can do it.

--
  -- Howard Chu
  CTO, Symas Corp.           https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIFaQ&c=ILNqkSEM8fZHMcUYFdZ1x6CQ9lxWNuCTMwK9anzFChg&r=n4xi6HDaa7t0-FRfK38M2lTbUnbZBIVYPFWeq2zHO-g&m=ggjco05rUuLxNhPNiCJvsIga6lk2BvjRCDNumrBrmcg&s=BLKRBKMOPPSLT0eYsk04QYwBHuIwLcW4Eq53I9uwIFk&e=
  Director, Highland Sun     https://urldefense.proofpoint.com/v2/url?u=http-3A__highlandsun.com_hyc_&d=DwIFaQ&c=ILNqkSEM8fZHMcUYFdZ1x6CQ9lxWNuCTMwK9anzFChg&r=n4xi6HDaa7t0-FRfK38M2lTbUnbZBIVYPFWeq2zHO-g&m=ggjco05rUuLxNhPNiCJvsIga6lk2BvjRCDNumrBrmcg&s=Po3UsIaNz_vaN6ScTSbAGIcil6X9WGx5cfSimzHWEgg&e=
  Chief Architect, OpenLDAP  https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openldap.org_project_&d=DwIFaQ&c=ILNqkSEM8fZHMcUYFdZ1x6CQ9lxWNuCTMwK9anzFChg&r=n4xi6HDaa7t0-FRfK38M2lTbUnbZBIVYPFWeq2zHO-g&m=ggjco05rUuLxNhPNiCJvsIga6lk2BvjRCDNumrBrmcg&s=ZCMON5G8ey6RegOBYNADDNjPCw8TP5nWwlnRqXJSEO8&e=