Howard Chu wrote:
maupas.alexis@hotmail.com wrote:
Hello everyone,
I am currently struggling with my OpenLDAP configuration (v2.5.13 on Debian 12). I want my OpenLDAP server to host a local database and to act as a proxy to an Active Directory database. Both databases should be merged to centralise authentication.
Through my research, I've discovered slapd-meta to merge multiple databases.
Here is a small schema of what I expect :
|--------> Local database (LDIF) "ou=local"META "dc=example,dc=com" ---| |--------> Proxy Active Directory "cn=Users,dc=addomain,dc=com"
I am able to regroup accounts from both Active Directory and local OpenLDAP databases within the same naming context "dc=example,dc=com".
Available accounts within "dc=example,dc=com" :
- cn=userad,dc=example,dc=com (From Active Directory database)
- cn=userldap,dc=example,dc=com (From local OpenLDAP database)
For my Windows devices, I use pGina to manage user authentication against my OpenLDAP server. Once pGINA is correctly configured, I can easily and quickly connect with all available accounts from AD and LDAP (userad et userldap).
My "only" problem is when the Active Directory server is down or unreachable. I am obviously no longer able to connect with Active Directory accounts. However, authentication with OpenLDAP accounts (userldap) becomes very slow and sometimes I can't connect.
Sounds like your authentication mechanism is doing an LDAP search against the entire tree to find the user's DN, so even though the local LDAP server is up, it has to query the AD server still.
You should look into using the slapo-pcache overlay to help mitigate the effects of AD being down.
Actually I wouldn't use back-meta here at all, I'd use back-ldap / slapo-pcache + slapo-rwm instead.
## local database config ## database mdb suffix ou=local,dc=example,dc=com ... subordinate
## proxy to remote ## database ldap suffix ou=msad,dc=example,dc=com rwm-suffixmassage cn=users,dc=example,dc=com ...
overlay pcache ...
## parent DB ## database ldif suffix dc=example,dc=com ...\
In fact, OpenLDAP server keeps trying to reach Active Directory for every request even if it's unreachable. This behaviour seems to slow the OpenLDAP searches within the local LDAP database a lot.
I've tried implementing different types of timeout in order to stop reaching unreachable servers but it doesn't make the authentication for LDAP accounts go any faster.
Here is my slapd.conf :
#################BOF###################
### SCHEMAS
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/microsoft.minimal.schema include /etc/ldap/schema/rfc2307bis.schema
### MODULES modulepath /usr/lib/ldap #Path moduleload back_ldap #Module for ldap database moduleload back_meta #Module for meta database
### MAIN SETTINGS
pidfile /run/slapd/slapd.pid argsfile /run/slapd/slapd.args
### DATABASES DEFINITION
## GENERAL ##
## LOCAL DATABASE CONFIG ## database ldif suffix "ou=local" directory "/var/lib/ldap" rootdn "cn=ldapadm,ou=local" rootpw "*****"
access to * by dn="cn=admin,dc=example,dc=com" write by * read by * search
## MAIN DATABASE TO REGROUP BOTH REMOTE AND LOCAL DATABASE## database meta suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw "*****"
## PROXY TO LOCAL DB ## uri "ldap://127.0.0.1/dc=example,dc=com" lastmod off suffixmassage "dc=example,dc=com" "ou=local" rebind-as-user idassert-bind bindmethod=simple binddn="cn=ldapadm,ou=local" credentials="*****" mode=none idassert-authzFrom "*"
## PROXY TO Active Directory ## uri "ldap://AD-ip:389/dc=example,dc=com" readonly yes lastmod off suffixmassage "dc=example,dc=com" "cn=Users,dc=addomain,dc=com" protocol-version 3 rebind-as-user idassert-bind bindmethod=simple binddn="cn=Administrator,cn=Users,dc=addomain,dc=com" credentials="*****" mode=none flags=override idassert-authzFrom "*"
map attribute uid sAMAccountName
#################EOF###################
Any help or suggestion on how to authenticate with local OpenLDAP accounts even if the Active Directory server is down would be appreciated.
Have a good day.
Alexis