Hi Everyone,
Like many organizations, we have two authentication systems here. I am trying to figure out a way of synchronizing LDAP passwords with AD passwords; or proxying the requests to AD. Management wants to keep LDAP intact, while enjoying the flexibility of single password.
I have unsuccessfully tried to use proxy functionally of LDAP to get user information from AD. First of all, AD needs a user name and password to retrieve information. Is there a way of specifying username/password? Even the following ldapsearch FAILS on openldap server, but the same query works fine for AD server.
ldapsearch -LLL -x -h localhost -b 'cn=users,dc=internal,dc=phg,dc=com,dc=au' -D "ldapauth@internal.phg.com.au" -W -x ldapsearch -LLL -x -h localhost -b 'dc=internal,dc=phg,dc=com,dc=au' -D "CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" -W -x
Here is the relevant sladp.conf snippet.
database ldap suffix "cn=users,dc=internal,dc=phg,dc=com,dc=au" subordinate rebind-as-user uri "ldap://192.168.100.100/" chase-referrals yes
Any help is appreciated. Thank you very much.
Cheers Nazeer
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
Nazeeruddin Mohammad wrote:
Hi Everyone,
Like many organizations, we have two authentication systems here. I am trying to figure out a way of synchronizing LDAP passwords with AD passwords; or proxying the requests to AD. Management wants to keep LDAP intact, while enjoying the flexibility of single password.
Your management obviously has no idea what they're talking about. AD is not LDAP so "keeping LDAP intact" is nonsense.
I have unsuccessfully tried to use proxy functionally of LDAP to get user information from AD. First of all, AD needs a user name and password to retrieve information. Is there a way of specifying username/password? Even the following ldapsearch FAILS on openldap server, but the same query works fine for AD server.
ldapsearch -LLL -x -h localhost -b 'cn=users,dc=internal,dc=phg,dc=com,dc=au' -D "ldapauth@internal.phg.com.au" -W –x
LDAP Simple Bind requests require an LDAPDN. "ldapauth@wherever" is not a DN. (See RFC4511 and RFC4514. This is one of the things we mean when we say "AD is not LDAP.")
As for using AD usernames - yes, use an LDAP Sasl Bind instead.
ldapsearch -LLL -x -h localhost -b 'dc=internal,dc=phg,dc=com,dc=au' -D "CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" -W –x
Sorry, I couldn't pass the message properly. We want to use openldap, as many services depend on it. However, we want to synchronize LDAP user accounts with that of on AD. This means users need remember only one password
I heard that there is possibility of doing this through openldap's proxy feature.
Could any enlighten me how to accomplish this? Or, is there any other way of doing this?
Here is my sladp.conf snippet
database ldap suffix "cn=users,dc=internal,dc=phg,dc=com,dc=au" subordinate rebind-as-user uri "ldap://192.168.100.100/" binddn "CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=land House,OU=Sites,DC=int,DC=phf,DC=com,DC=au" bindpw "Mypassword" chase-referrals yes
Regards Nazeer -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, 29 August 2008 10:26 AM To: Nazeeruddin Mohammad Cc: 'openldap-technical@openldap.org' Subject: Re: Proxy to Active Directory
Nazeeruddin Mohammad wrote:
Hi Everyone,
Like many organizations, we have two authentication systems here. I am trying to figure out a way of synchronizing LDAP passwords with AD passwords; or proxying the requests to AD. Management wants to keep LDAP intact, while enjoying the flexibility of single password.
Your management obviously has no idea what they're talking about. AD is not LDAP so "keeping LDAP intact" is nonsense.
I have unsuccessfully tried to use proxy functionally of LDAP to get user information from AD. First of all, AD needs a user name and password to retrieve information. Is there a way of specifying username/password? Even the following ldapsearch FAILS on openldap server, but the same query works fine for AD server.
ldapsearch -LLL -x -h localhost -b 'cn=users,dc=internal,dc=phg,dc=com,dc=au' -D "ldapauth@internal.phg.com.au" -W -x
LDAP Simple Bind requests require an LDAPDN. "ldapauth@wherever" is not a DN. (See RFC4511 and RFC4514. This is one of the things we mean when we say "AD is not LDAP.")
As for using AD usernames - yes, use an LDAP Sasl Bind instead.
ldapsearch -LLL -x -h localhost -b 'dc=internal,dc=phg,dc=com,dc=au' -D "CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" -W -x
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
On Fri, 2008-08-29 at 15:14 +1000, Nazeeruddin Mohammad wrote:
Sorry, I couldn't pass the message properly. We want to use openldap, as many services depend on it. However, we want to synchronize LDAP user accounts with that of on AD. This means users need remember only one password
I heard that there is possibility of doing this through openldap's proxy feature.
Could any enlighten me how to accomplish this? Or, is there any other way of doing this?
Here is my sladp.conf snippet
Perhaps put set the userPassword attribute to {SASL}user@AD.DOMAIN and have SASL handle the forwarding of the simple binds into kerberos kinit requests?
(I did this, to a bundled Heimdal many years ago, I don't know if it works how you want however).
Otherwise, perhaps look for a redirection via PAM to winbindd or pam_krb5?
Andrew Bartlett
On Friday 29 August 2008 14:07:11 Andrew Bartlett wrote:
On Fri, 2008-08-29 at 15:14 +1000, Nazeeruddin Mohammad wrote:
Sorry, I couldn't pass the message properly. We want to use openldap, as many services depend on it. However, we want to synchronize LDAP user accounts with that of on AD. This means users need remember only one password
I heard that there is possibility of doing this through openldap's proxy feature.
Could any enlighten me how to accomplish this? Or, is there any other way of doing this?
Here is my sladp.conf snippet
Perhaps put set the userPassword attribute to {SASL}user@AD.DOMAIN and have SASL handle the forwarding of the simple binds into kerberos kinit requests?
(I did this, to a bundled Heimdal many years ago, I don't know if it works how you want however).
Otherwise, perhaps look for a redirection via PAM to winbindd or pam_krb5?
There is a feature hidden in ITS that would provide a better solution, allowing for authentication to still work if/when AD is unavailable (due to network issue, firewall issue etc.).
http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042
However, there has been no discussion on it in the past year.
I have tested it (against a Heimdal kdc), but it kind of defeats the point if you can't use hdb_ldap at the same time :-P (and there are issues to be resolved to make it work with ppolicy). However, it does work ...
Regards, Buchan
Buchan Milne wrote:
There is a feature hidden in ITS that would provide a better solution, allowing for authentication to still work if/when AD is unavailable (due to network issue, firewall issue etc.).
http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042
The problem with this approach is that it stores a copy of the password within OpenLDAP. Depending on the security policy that's maybe not what one wants.
Ciao, Michael.
On Friday 29 August 2008 17:05:52 Michael Ströder wrote:
Buchan Milne wrote:
There is a feature hidden in ITS that would provide a better solution,
(depending on your requirements)
allowing for authentication to still work if/when AD is unavailable (due to network issue, firewall issue etc.).
http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042
The problem with this approach is that it stores a copy of the password within OpenLDAP. Depending on the security policy that's maybe not what one wants.
But, the operational policy may require it .... the OpenLDAP administrator is the only person who can make/implement that decision, I don't see a reason to prevent the administrator from doing this. It is better than a clear-text simple bind using the {SASL} feature (which would expose the cleartext password that you are trying to protect).
Regards, Buchan
openldap-technical@openldap.org
-
Andrew Bartlett -
Buchan Milne -
Howard Chu -
Michael Ströder -
Nazeeruddin Mohammad