You probably need to delete the userPassword attribute?
This is correct.
Finally got it working. Thanks for all the help!
I was able to piece the solution together. As previously mentioned most guidance out there focused on configuring it with slapd.conf, however in my case I was trying to use the Bitnami openldap container which does not use a slapd.conf but instead uses dynamic runtime configuration which complicated matters. Here's the config that works for pass-through remoteauth authentication as well as utilizing argon2 password hashing leveraging the bitnami openldap container for anyone that may find themselves in this nightmare in the future:
docker-compose.yml:
openldap: image: bitnami/openldap:latest container_name: openldap_app ports: - '1389:1389' - '1636:1636' environment: - LDAP_ROOT=dc=local-openldap-domain,dc=local - LDAP_ADMIN_USERNAME=ldap-admin - LDAP_ADMIN_PASSWORD=ldap_admin_password - LDAP_USERS=some-ldap-user - LDAP_PASSWORDS=some_ldap_user_password - LDAP_EXTRA_SCHEMAS=cosine,inetorgperson,nis,argon2,remoteauth - BITNAMI_DEBUG=true - LDAP_LOG_LEVEL=1 networks: openldap_net_ext: ipv4_address: 172.16.xxx.xxx volumes: - openldap_data:/bitnami/openldap - ./schema-argon2.ldif:/opt/bitnami/openldap/etc/schema/schema-argon2.ldif - ./schema-remoteauth.ldif:/opt/bitnami/openldap/etc/schema/schema-remoteauth. ldif - ./custom-argon2.ldif:/custom/custom-argon2.ldif - ./custom-remoteauth.ldif:/custom/custom-remoteauth.ldif
schema-argon2.ldif:
dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/bitnami/openldap/lib/openldap olcModuleLoad: argon2.so
schema-remoteauth.ldif:
dn: cn=module{2},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/bitnami/openldap/lib/openldap olcModuleLoad: remoteauth.so
custom-argon2.ldif:
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {ARGON2}
custom-remoteauth.ldif:
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: associatedDomain olcRemoteAuthDefaultDomain: ad-domain olcRemoteAuthMapping: ad-domain dc01.ad-domain.tld olcRemoteAuthTLS: starttls=no tls_reqcert=never olcRemoteAuthRetryCount: 3
Once the container is up, add the custom-argon2.ldif and the custom-remoteauth.ldif files as follows:
docker exec openldap_app ldapadd -H ldapi:/// -Y EXTERNAL -f /custom/argon2.ldif docker exec openldap_app ldapadd -H ldapi:/// -Y EXTERNAL -f /custom/remoteauth.ldif
For a remoteauth user use the following attributes in to create a user in openldap where seeAlso is the DN of the user in the remote AD domain. I'm guessing it should work with just the username on the remote domain:
dn: cn=jsmoe,ou=users,dc=local-openldap-domain,dc=local objectClass: domainRelatedObject objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top associatedDomain: ad-domain cn: jsmoe sn: Smoe displayName: Joe Smoe givenName: Joe mail: jsmoe@domain.tld seeAlso: cn=Joe Smoe,ou=Users,dc=ad-domain,dc=tld uid: jsmoe
For a local openldap user, I use the following attributes to create a user in openldap:
dn: cn=mjane,ou=users,dc=local-openldap-domain,dc=local objectClass: inetOrgPerson cn: mjane sn: Jane displayName: Mary Jane givenName: Mary mail: mjane@domain.tld uid: mjane userPassword: {ARGON2}$argon2id$v=19$m=7168,t=5,p=1$NaoI0qbKSpD5Hle+WhfncQ$HIWlTiUf02j8+tq Oattpu2Z9tKyPGXG0YxyrxhmFDFs