Hello everyone!
I have been trying to configure slapd for a week to use it as a proxy for Google's LDAP service in order to connect some legacy applications. Since I have multiple domains in Google, I need to centralize all users into a common "dc."
Everything is working well, but the problem is that, apparently, when connecting to Google, I am provided with a certificate that I download from the admin console. However, with that certificate alone, slapd cannot connect to the target. So, I generate some credentials from the Google LDAP admin and add them to the slapd configuration. The issue is that, for some reason, slapd converts the username to lowercase, and Google rejects it because it is case-sensitive. Is it possible to disable this function? (There is no way to create a user in Google that is only in lowercase)
Here is my current slapd configuration: ################################################################ include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/nis.schema
modulepath /usr/lib/ldap moduleload back_meta.la moduleload back_ldap.la
database meta
suffix "dc=proxy" rootdn "cn=admin,dc=proxy" rootpw 1234
## example.com uri "ldap://172.25.3.127:2636/dc=proxy" suffixmassage "dc=proxy" "dc=example,dc=com" lastmod off readonly on idassert-bind bindmethod=simple binddn="ChiwewDaw" credentials="ASk0i9ejiosej9o303" tls_reqcert=demand tls_reqsan=demand starttls=critical tls_cert=/root/ldapcerts/ldap_cert.crt tls_key=/root/ldapcerts/ldap_cert.key tls_cacert=/root/ldapcerts/ca/gtsr1.pem ##################################################################
Thank you for your assistance!
(ps: If anyone knows how to make it work using only the certificate, that would be great.)
--On Monday, November 4, 2024 5:22 PM -0300 tmp 2810 t2810mp@gmail.com wrote:
idassert-bind bindmethod=simple
If you want to use certificates, you need to use SASL/EXTERNAL as the bind method
binddn="ChiwewDaw"
This is not a DN, thus not a valid value.
credentials="ASk0i9ejiosej9o303"
Hoping you didn't just expose a live password to the world.
--Quanah
openldap-technical@openldap.org