My goal is to [manually] maintain a database of users using OpenLDAP directory, with some set of attributes and values. All of those users have their second accounts in different external LDAP directories (2 directories). For those users, I want OpenLDAP server to passthrough simple_bind authentication to one of those directories.
When I manually create a user in OpenLDAP directory, I want specify a `backend keys` in some attributes, that will tell OpenLDAP server how to process user's simple_bind authentication. For example, I can specify some sort of attributes like `backendRealm = ActiveDirectory1` and `mail = jack@contoso.com` to tell OpenLDAP to lookup object DN on servers from group `ActiveDirectory1` with `mail=jack@contoso.com` filter and try to simple_bind against one server from group `ActiveDirectory1` using DN it fount and password user provided originally.
DNs of all users are not even partially equal between directories. Suffixes are different too. All OpenLDAP users and attributes are maintained manually, without proxying (except authentication).
Please help me if I can do this somehow using OpenLDAP? Can I do this without using SASLD?
Alex.
--On Tuesday, February 4, 2025 8:41 PM +0300 "Alexey D. Filimonov" alexey@filimonic.net wrote:
My goal is to [manually] maintain a database of users using OpenLDAP directory, with some set of attributes and values. All of those users have their second accounts in different external LDAP directories (2 directories). For those users, I want OpenLDAP server to passthrough simple_bind authentication to one of those directories.
When I manually create a user in OpenLDAP directory, I want specify a `backend keys` in some attributes, that will tell OpenLDAP server how to process user's simple_bind authentication. For example, I can specify some sort of attributes like `backendRealm = ActiveDirectory1` and `mail = jack@contoso.com` to tell OpenLDAP to lookup object DN on servers from group `ActiveDirectory1` with `mail=jack@contoso.com` filter and try to simple_bind against one server from group `ActiveDirectory1` using DN it fount and password user provided originally.
DNs of all users are not even partially equal between directories. Suffixes are different too. All OpenLDAP users and attributes are maintained manually, without proxying (except authentication).
Please help me if I can do this somehow using OpenLDAP? Can I do this without using SASLD?
Have you read up on slapo-remoteauth?
--Quanah
Thank you. Can I ask you how did you get info about this overlay? This is not even mentioned in Admin Guide at all.
On 2025-02-06 23:54, Quanah Gibson-Mount wrote:
--On Tuesday, February 4, 2025 8:41 PM +0300 "Alexey D. Filimonov" alexey@filimonic.net wrote:
My goal is to [manually] maintain a database of users using OpenLDAP directory, with some set of attributes and values. All of those users have their second accounts in different external LDAP directories (2 directories). For those users, I want OpenLDAP server to passthrough simple_bind authentication to one of those directories.
When I manually create a user in OpenLDAP directory, I want specify a `backend keys` in some attributes, that will tell OpenLDAP server how to process user's simple_bind authentication. For example, I can specify some sort of attributes like `backendRealm = ActiveDirectory1` and `mail = jack@contoso.com` to tell OpenLDAP to lookup object DN on servers from group `ActiveDirectory1` with `mail=jack@contoso.com` filter and try to simple_bind against one server from group `ActiveDirectory1` using DN it fount and password user provided originally.
DNs of all users are not even partially equal between directories. Suffixes are different too. All OpenLDAP users and attributes are maintained manually, without proxying (except authentication).
Please help me if I can do this somehow using OpenLDAP? Can I do this without using SASLD?
Have you read up on slapo-remoteauth?
--Quanah
--On Friday, February 7, 2025 6:30 PM +0300 "Alexey D. Filimonov" alexey@filimonic.net wrote:
Thank you. Can I ask you how did you get info about this overlay? This is not even mentioned in Admin Guide at all.
The admin guide is not the authoratative source for information, the man pages are. Contributions for improving the admin guide are always welcome.
I would note that remoteauth was listed in the release announcement for OpenLDAP 2.5:
https://www.openldap.org/software/release/announce_lts.html
Regards, Quanah
Just wanted to thank you for this link. It [remoteauth overlay] worked like a charm.
On 2025-02-06 23:54, Quanah Gibson-Mount wrote:
--On Tuesday, February 4, 2025 8:41 PM +0300 "Alexey D. Filimonov" alexey@filimonic.net wrote:
My goal is to [manually] maintain a database of users using OpenLDAP directory, with some set of attributes and values. All of those users have their second accounts in different external LDAP directories (2 directories). For those users, I want OpenLDAP server to passthrough simple_bind authentication to one of those directories.
When I manually create a user in OpenLDAP directory, I want specify a `backend keys` in some attributes, that will tell OpenLDAP server how to process user's simple_bind authentication. For example, I can specify some sort of attributes like `backendRealm = ActiveDirectory1` and `mail = jack@contoso.com` to tell OpenLDAP to lookup object DN on servers from group `ActiveDirectory1` with `mail=jack@contoso.com` filter and try to simple_bind against one server from group `ActiveDirectory1` using DN it fount and password user provided originally.
DNs of all users are not even partially equal between directories. Suffixes are different too. All OpenLDAP users and attributes are maintained manually, without proxying (except authentication).
Please help me if I can do this somehow using OpenLDAP? Can I do this without using SASLD?
Have you read up on slapo-remoteauth?
--Quanah
openldap-technical@openldap.org
-
Alexey D. Filimonov -
Quanah Gibson-Mount