olcRemoteAuthTLS: starttls=no tls_reqcert=never
AD pretty much always requires TLS, but you've turned it off entirely. I
would expect this to fail.
You either need to use ldaps:// + port 636 & starttls=no
OR
ldap:// + port 389
and starttls=yes
Actually, it this particular case your assumption is incorrect. I setup another application to authentication to this particular domain controller without TLS with ldap://dc01.remotedomain.tld:389 and it authenticates with no problem. I will eventually configure TLS but I'm just trying to keep it simple for now until I get this working.
Let's say I have this scenario:
Local username: local.user Local Openldap: localdomain.local Remote User: remote.user Remote AD controller: dc01.remotedomain.tld Remote AD Domain name: remotedomain RemoteAuthDomainAttribute: o (Organization)
This is the config I'm using in remoteauth.ldif:
dn: cn=module{2},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/bitnami/openldap/lib/openldap olcModuleLoad: remoteauth.so
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: o olcRemoteAuthDefaultRealm: remotedomain olcRemoteAuthMapping: remotedomain ldap://dc01.remotedomain.tld:389 olcRemoteAuthTLS: starttls=no tls_reqcert=never olcRemoteAuthRetryCount: 3
This is the remote user config in openldap:
dn: cn=local.user,ou=users,dc=localdomain,dc=local objectClass: inetOrgPerson cn: local.user sn: User displayName: Local User givenName: Local mail: luser@somedomain.tld o: remotedomain:remote.user seeAlso: cn=Remote user,ou=Users,dc=remotedomain,dc=tld uid: local.user userPassword::
This config is not working. Authhentication fails with the following logs. Please note there is not a single entry for the remote domain which I assume it means that openldap is not even attempting to reach the remote domain controller:
.28ab4b96 0x7fe6abfff6c0 conn=1001 op=1 SRCH attr=uid mail displayName 67b738e8.28ac875d 0x7fe6abfff6c0 conn=1001 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000016 etime=0.000161 nentries=1 tex 67b738e8.28b3d836 0x7fe6b0c756c0 conn=1002 fd=13 ACCEPT from IP=172.16.32.1:40524 (IP=0.0.0.0:1389) 67b738e8.28b6ddb4 0x7fe6abfff6c0 conn=1002 op=0 BIND dn="cn=local.user,ou=users,dc=localdomain,dc=local" m 67b738e8.28b7c4b3 0x7fe6abfff6c0 conn=1002 op=0 RESULT tag=97 err=49 qtime=0.000028 etime=0.000106 text= 67b738e8.28bd54b7 0x7fe6b0c756c0 conn=1002 fd=13 closed (connection lost) 67b738e8.28bdf386 0x7fe6abfff6c0 conn=1001 fd=12 closed (connection lost) 67b738f7.218e694d 0x7fe6b0c756c0 conn=1003 fd=12 ACCEPT from IP=172.16.32.1:36998 (IP=0.0.0.0:1389) 67b738f7.218f04b4 0x7fe6abfff6c0 conn=1003 op=0 BIND dn="cn=ldap-admin,dc=localdomain,dc=local" method=128 67b738f7.218f6645 0x7fe6abfff6c0 conn=1003 op=0 BIND dn="cn=ldap-admin,dc=localdomain,dc=local" mech=SIMPLE bind_ssf=0 67b738f7.218fd3a9 0x7fe6abfff6c0 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000008 etime=0.000077 text= 67b738f7.21933140 0x7fe6b0c756c0 conn=1003 op=1 SRCH base="ou=users,dc=localdomain,dc=local" scope=2 deref=0 filter="(&(uid=dds)(objectClass=inetOrgPerson))" 67b738f7.21936655 0x7fe6b0c756c0 conn=1003 op=1 SRCH attr=uid mail displayName 67b738f7.21943fac 0x7fe6b0c756c0 conn=1003 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000008 etime=0.000098 nentries=0 tex 67b738f7.2196cf66 0x7fe6abfff6c0 conn=1003 fd=12 closed (connection lost)
Thanks