Hi all -
Thanks in advance. I know this topic has been discussed at length but I'm fairly new to it and haven't been able to find enough information to get my implementation working. I've been piecing together bits and pieces of what seems like the correct parameters, but I've had no luck... and now that I've resorted to guessing, I'd like to ask for help.
So here's what I'm trying to achieve:
One OpenLDAP server that will A) proxy for a backend AD server and B) maintain a local database for users that are not in AD. The AD system will be used for internal/corp users while the local db will be used for external/3rd party people. The AD system has _some_ of the unix schema attributes, but not all so I will be doing some rewriting on the openldap server. The linux workstations will use the single openldap server and will only be used by internal users and we also have some websites that are for internal/external users.
For the time being, I'm just working on part A - proxy requests for these linux workstations to the backend AD server and get the proper mapping figured out.
My present problem is that my openldap server is connecting anonymously to the AD server and that's no good because that's not allowed. I have a AD service account defined for the openldap server connections, and have configured the correct values for the 'idassert-bind' directive (see below). Performing a manual ldapsearch works fine when I define the same parameters on the command line, but slapd isn't using the correct parameters it seems. Below are the config files, etc for each component... I hope this helps.
./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com" -s sub -D "cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" -W
I've compiled and installed bdb v4.8 and openldap v2.4.23 from source. Here's how I configured openldap:
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/cluster/centauth/BerkeleyDB.4.8/lib:/usr/local/ssl/lib" CPPFLAGS="-I/cluster/centauth/BerkeleyDB.4.8/include" LDFLAGS="-L/cluster/centauth/BerkeleyDB.4.8/lib" ./configure --prefix=/cluster/centauth/openldap2.4 --enable-shared --enable-crypt=yes --enable-rewrite=yes --enable-bdb=yes --enable-hdb=yes --enable-ldap=mod --enable-meta=mod --enable-monitor=yes --enable-relay=mod --enable-overlays=yes --with-cyrus-sasl --with-threads=posix --with-tls=openssl
This is the client configuration on the linux workstation:
# /etc/ldap.conf base dc=mascorp,dc=com scope sub timelimit 120 bind_timelimit 120 idle_timelimit 3600 uri ldap://sso.mascorp.com ssl no pam_password ad #eof
This is the server config on the openldap server:
# /cluster/centauth/etc/slapd.conf include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/ppolicy.schema include /usr/share/openldap2.4/schema/ldapns.schema include /cluster/centauth/etc/schema/microsoft.minimal.schema
pidfile /cluster/centauth/var/run/slapd.pid argsfile /cluster/centauth/var/run/slapd.args loglevel -1 monitoring on defaultsearchbase "dc=mascorp,dc=com" database ldap suffix "dc=mascorp,dc=com" uri "ldap://corp-ad.mascorp.com" acl-bind bindmethod=simple binddn="cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret" idassert-bind bindmethod=simple binddn="cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret" overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute homeDirectory unixHomeDirectory rwm-map attribute cn cn rwm-map attribute displayName displayName rwm-map attribute givenName givenName rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute userPassword objectGUID rwm-map attribute * rwm-map objectclass posixAccount organizationalPerson rwm-map objectclass inetOrgPerson user
access to dn.subtree="dc=mascorp,dc=com" by * read #eof
# Pertinent logs from ldap2.4.log Jan 20 00:13:57 sso slapd[30527]: do_bind: v3 anonymous bind Jan 20 00:13:57 sso slapd[30527]: ==> limits_get: conn=1000 op=1 self="[anonymous]" this="dc=mascorp,dc=com" Jan 20 00:13:57 sso slapd[30527]: send_ldap_result: err=1 matched="" text="00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece"
Thanks!
Rafa
On 21/01/2011 21:01, L.B. wrote:
Hi all -
Thanks in advance. I know this topic has been discussed at length but I'm fairly new to it and haven't been able to find enough information to get my implementation working. I've been piecing together bits and pieces of what seems like the correct parameters, but I've had no luck... and now that I've resorted to guessing, I'd like to ask for help.
So here's what I'm trying to achieve:
One OpenLDAP server that will A) proxy for a backend AD server and B) maintain a local database for users that are not in AD. The AD system will be used for internal/corp users while the local db will be used for external/3rd party people. The AD system has _some_ of the unix schema attributes, but not all so I will be doing some rewriting on the openldap server. The linux workstations will use the single openldap server and will only be used by internal users and we also have some websites that are for internal/external users.
For the time being, I'm just working on part A - proxy requests for these linux workstations to the backend AD server and get the proper mapping figured out.
My present problem is that my openldap server is connecting anonymously to the AD server and that's no good because that's not allowed. I have a AD service account defined for the openldap server connections, and have configured the correct values for the 'idassert-bind' directive (see below). Performing a manual ldapsearch works fine when I define the same parameters on the command line, but slapd isn't using the correct parameters it seems. Below are the config files, etc for each component... I hope this helps.
./ldapsearch -vvv -H ldap://corp-ad.mascorp.com -b "dc=mascorp,dc=com" -s sub -D "cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" -W
This is the server config on the openldap server: [...] idassert-bind bindmethod=simple binddn="cn=agis-ldap,ou=service accounts,ou=administrators,dc=mascorp,dc=com" credentials="mofosecret" access to dn.subtree="dc=mascorp,dc=com"
Look into the "mode" parameter of idassert-bind. For example, by adding "mode=none" to the end of the above line, slapd will always use the given binddn and credentials to forward anonymous connections to AD. Of course, this may be seen as a security flaw: you're giving anonymous access via OpenLDAP to a directory that doesn't allow anonymous acces - use with care (this said, if access to your OpenLDAP directory is protected in another way, I see no reason not to do this).
For your part B), I suggest looking into the subordinate keyword: add a "hdb" database to your config, and place the AD proxy as a subordinate to that. You'll then be able to have "local" users in OpenLDAP, and a subtree that is a proxy to your AD.
Once you're there, it may be worth while setting up pcache (caching proxy), to save a bit of traffic between OpenLDAP and AD, and possibly provide a security against AD being unavailable and "breaking" your OpenLDAP installation.
Hope this helps, Jonathan
openldap-technical@openldap.org