I have two LDAP servers (ActiveDirectory) with users:
On AD horns-and-hooves.org: cn=Jane Smith,ou=users,dc=horns-and-hooves,dc=org cn: jane.smith@contoso.com
On AD bells-and-whistles.com: cn=John Snow,ou=users,ou=europe,dc=bells-and-whistles,dc=com mail: john.snow@contoso.com
And for mail system, I need to grab some of those users to single OpenLDAP database (dc=internal), add some mail system-specific attributes (that dont exist in source ADs) and add passthrough authentication for them to the AD server where they belong. Like this:
cn=jane.smith,ou=horns-and-hooves,dc=internal mailQuota: 10 imapHost: imap1 mail: jane.smith@contoso.com sourceOrg: horns-and-hooves
cn=john.snow,ou=bells-and-whistles,dc=internal mailQuota: 20 imapHost: imap2 mail:: john.snow@contoso.com sourceOrg: bells-and-whistles
I expect algorithm like this: First, I manually create users in OpenLDAP directory without passwords with correct attributes.
When Jane makes simple_bind to OpenLDAP server, the server determines if user is related to horns-and-hooves organization or to bells-and-whistles. If "horns-and-hooves" then server makes a search against ldap://horns-and-hooves.org:389/dc=horns-and-hooves,dc=org for '(mail=$1)' where $1 is value of mail from `mail` attribute. it finds one item, OpenLDAP tries to make bind to ldap://horns-and-hooves.org:389 with DN of item found and password provided by Jane to OpenLDAP. If "bells-and-whistles" then backend server is ldap://bells-and-whistles.com:389/dc=bells-and-whistles,dc=com , other is same.
How server determines if user is a hosn-an-hooves user or bells-and-whistles user - based on some attriburte value (sourceOrg) or based on DN value (ou=horns-and-hooves,dc=internal vs ou=bells-and-whistles,dc=internal) - IDK if any of this is possible.
Does this algorithm implementation requires SALSd, or it can be done with OpenLDAP-only?
Could you please help me getting this configuration done?
On Sun, Feb 02, 2025 at 08:59:49AM -0000, alexey@filimonic.net wrote:
And for mail system, I need to grab some of those users to single OpenLDAP database (dc=internal), add some mail system-specific attributes (that dont exist in source ADs) and add passthrough authentication for them to the AD server where they belong. Like this:
cn=jane.smith,ou=horns-and-hooves,dc=internal mailQuota: 10 imapHost: imap1 mail: jane.smith@contoso.com sourceOrg: horns-and-hooves
cn=john.snow,ou=bells-and-whistles,dc=internal mailQuota: 20 imapHost: imap2 mail:: john.snow@contoso.com sourceOrg: bells-and-whistles
I expect algorithm like this: First, I manually create users in OpenLDAP directory without passwords with correct attributes.
How server determines if user is a hosn-an-hooves user or bells-and-whistles user - based on some attriburte value (sourceOrg) or based on DN value (ou=horns-and-hooves,dc=internal vs ou=bells-and-whistles,dc=internal) - IDK if any of this is possible.
Does this algorithm implementation requires SALSd, or it can be done with OpenLDAP-only?
Could you please help me getting this configuration done?
You might want to explore if the remoteauth overlay (maybe in combination with others?) could help you here. Unfortunately nothing specific comes to mind but others here might have dealt with something similar?
Regards,
Yes, thanks, remoteauth worked. This is my second message for same theme, sorry, moderation took long i thought my message get lost.
On 2025-02-17 13:58, Ondřej Kuzník wrote:
On Sun, Feb 02, 2025 at 08:59:49AM -0000, alexey@filimonic.net wrote:
And for mail system, I need to grab some of those users to single OpenLDAP database (dc=internal), add some mail system-specific attributes (that dont exist in source ADs) and add passthrough authentication for them to the AD server where they belong. Like this:
cn=jane.smith,ou=horns-and-hooves,dc=internal mailQuota: 10 imapHost: imap1 mail: jane.smith@contoso.com sourceOrg: horns-and-hooves
cn=john.snow,ou=bells-and-whistles,dc=internal mailQuota: 20 imapHost: imap2 mail:: john.snow@contoso.com sourceOrg: bells-and-whistles
I expect algorithm like this: First, I manually create users in OpenLDAP directory without passwords with correct attributes.
How server determines if user is a hosn-an-hooves user or bells-and-whistles user - based on some attriburte value (sourceOrg) or based on DN value (ou=horns-and-hooves,dc=internal vs ou=bells-and-whistles,dc=internal) - IDK if any of this is possible.
Does this algorithm implementation requires SALSd, or it can be done with OpenLDAP-only?
Could you please help me getting this configuration done?
You might want to explore if the remoteauth overlay (maybe in combination with others?) could help you here. Unfortunately nothing specific comes to mind but others here might have dealt with something similar?
Regards,
openldap-technical@openldap.org
-
Alexey D. Filimonov -
alexey@filimonic.net
-
Ondřej Kuzník