Hello.
I am new to this list so please forgive any protocol violations :)
I am starting with simple steps towards our goal to use the openldap server translucent overlay config to merge AD authentication for people at our company with local ldap account authentication for non-company people.
I am using openldap 2.4.23 on RHEL6 server.
At this point, the ldap server can access our AD servers with anonymous bind but I need authenticated access to get more information.
I have been using variations of the "Identity Assertion" steps from the openldap FAQ page (http://www.openldap.org/faq/data/cache/532.html) without success.
I am initially trying the simplest config e.g. bindmethod=simple with a valid AD account/password for this access.
I have included my current minimalist slapd.conf file if of any help.
If anyone can point me to sample working configuration file(s) or provide any recommendations, I would appreciate it.
thanks, John.
------------------------------------------
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
###TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificateFile /usr/var/openldap-data/cacert.pem ###TLSCertificateFile /etc/openldap/cacerts/parcldscert.pem ###TLSCertificateKeyFile /etc/openldap/cacerts/parclds.pem ###TLSVerifyClient allow TLSVerifyClient never
### Will use TLS after I get authenticated bind working
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=corp,dc=ad,dc=parc,dc=com" rootdn "cn=Manager,dc=corp,dc=ad,dc=parc,dc=com"
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. sizelimit unlimited directory /var/lib/ldap # Indices to maintain index objectClass eq ### debug logging loglevel -1 # try transl overlay config here moduleload translucent overlay translucent translucent_local carLicense uri ldap://ADserver.corp.ad.parc.com lastmod off # idassert-bind bindmethod=simple binddn=cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com credentials="password" authzID=dn:cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com [root@virtuosity-vm84 configs]#
ok, I'll try again. I am using openldap 2.4.23 on RHEL6 server and trying to configure openldap to do simple user/password authentication to our Microsoft AD servers. I can authenticate and do commandline ldap searches with my windows test account and password ok. However, in trying to follow examples from the openldap.org website I cannot get it to work using the openldap config files. All I get from the AD servers then are the anonymous bind results.
If anyone has an actual working configuration, I would really appreciate info on how they did it. I am under a typical last minute deadline to get this going.
I am including latest slapd.conf iteration (there have been many :() for review.
thanks for any help/advice you might have.
John.
----------------------------------------------------------------------------------------------- # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
###TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificateFile /usr/var/openldap-data/cacert.pem # will do TLS after basic authentication working. TLSVerifyClient never
sizelimit unlimited
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=corp,dc=ad,dc=parc,dc=com" rootdn "cn=Manager,dc=corp,dc=ad,dc=parc,dc=com"
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. ###sizelimit unlimited directory /var/lib/ldap # Indices to maintain index objectClass eq ### debug logging loglevel -1 moduleload translucent overlay translucent moduleload rwm overlay rwm uri ldap://blowfish.corp.ad.parc.com lastmod off # idassert-bind bindmethod=simple binddn="cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com" credentials=XXX authzID=dn:cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com
rwm-map objectclass * * rwm-map attribute * *
openldap-technical@openldap.org