Hello,
I have installed the LDAP Tool Box version of OpenLDAP on Centos8 for the purpose of a proxy to AD. My proxy needs to "translate" from our old AD domain to our new AD domain (I hate company name changes!).
We have some software that access our old domain with certain credentials, does searches for groups and users then binds as the appropriate user to authenticate the user.
From this legacy system I need to be able to: 1. Bind to the proxy with credentials I can't change. These look like user "special-user@old.com". (Not a typical DN, looks more like a user principal). 2. Search a particular subtree for users and bind as that user to authenticate. 3. Search another subtree for groups and use an ad-style membership check to determine who is a user, who is an admin, etc. I need to be able to authenticate for the searching using the above special user, but the proxy operation should use a different set of credentials when searching the backend. I also need to translate subtrees and possibly individual DNs.
This is my (sanitized) slapd.conf: ------------------------------------------------- include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/misc.schema include /usr/local/openldap/etc/openldap/schema/nis.schema
pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args
database mdb maxsize 1073741824 suffix "dc=old-domain,dc=com" rootdn "cn=Manager,dc=old-domain,dc=com" rootpw secret directory /usr/local/openldap/var/openldap-data index objectClass eq
database meta suffix "dc=old-domain,dc=com" readonly yes protocol-version 3 uri "ldap://dc1:3268,ldap://dc2:3268" suffixmassage "ou=old-tree,DC=old-domain,DC=com" "ou=new-tree,DC=new-domain,DC ------------------------------------------------- I figured out what I think should be done in translating domains, subtrees, etc. What I can't figure out is how to accept the "special-user@old.com" on the front and then use another "Service Account" through the backed so I can search for users. Once the frontend rebinds with the user's credentials, that needs to pass through.
Can anyone help me have a "split personality" when it comes to authentication?
Gary A. Algier E-mail: Gary.Algier@Mavenir.com
________________________________ This e-mail message may contain confidential or proprietary information of Mavenir Systems, Inc. or its affiliates and is intended solely for the use of the intended recipient(s). If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies in your control and contact us by e-mailing to security@mavenir.com. This message contains the views of its author and may not necessarily reflect the views of Mavenir Systems, Inc. or its affiliates, who employ systems to monitor email messages, but make no representation that such messages are authorized, secure, uncompromised, or free from computer viruses, malware, or other defects. Thank You
openldap-technical@openldap.org