Hello,
I am in a environment where we use both OpenLDAP and Active Directory. All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)
I would like to keep everything the same except that when the user bind to OpenLDAP the credential should be checked against Active Directory. There is no need to retrieve/return any information from Active Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01 long username: john.smith@example.com
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.
john.smith@example.com
I am starting to seriously look at the various OpenLDAP overlay and proxy functionality but I am a bit confused on how to archive this.
Best regards,
Alexandre
On Mon, May 29, 2017 at 11:36 AM, Alexandre Rosenberg arekkusu@r42.ch wrote:
Hello,
I am in a environment where we use both OpenLDAP and Active Directory. All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)
I would like to keep everything the same except that when the user bind to OpenLDAP the credential should be checked against Active Directory. There is no need to retrieve/return any information from Active Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01 long username: john.smith@example.comThe short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=comWhile the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.
john.smith@example.comI am starting to seriously look at the various OpenLDAP overlay and proxy functionality but I am a bit confused on how to archive this.
Have you looked into authenticating using GSSAPI (kerberos)? Your AD is your kerberos server. Then all you need is an openldap service user in AD and you are done.
If you have ACLs in openldap that rely on the openldap-stored user DN (uid=john01, ...), you can use authz-regexp to map the kerberos sasl entity to that probably.
On 05/29/2017 10:48 AM, Andreas Hasenack wrote:
On Mon, May 29, 2017 at 11:36 AM, Alexandre Rosenberg <arekkusu@r42.ch mailto:arekkusu@r42.ch> wrote:
Hello, I am in a environment where we use both OpenLDAP and Active Directory. All Linux servers authenticate against OpenLDAP where we have user group, unix group (...) I would like to keep everything the same except that when the user bind to OpenLDAP the credential should be checked against Active Directory. There is no need to retrieve/return any information from Active Directory except for the authentication. This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine) One complication is that we have 2 times of usernames: short username: john01 long username: john.smith@example.com <mailto:john.smith@example.com> The short username are used in in OpenLDAP like this: uid=john01,ou=People,dc=example,dc=com While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username. john.smith@example.com <mailto:john.smith@example.com> I am starting to seriously look at the various OpenLDAP overlay and proxy functionality but I am a bit confused on how to archive this.Have you looked into authenticating using GSSAPI (kerberos)? Your AD is your kerberos server. Then all you need is an openldap service user in AD and you are done.
If you have ACLs in openldap that rely on the openldap-stored user DN (uid=john01, ...), you can use authz-regexp to map the kerberos sasl entity to that probably.
+1 That's exactly how we do it here, and it works great. If you're not familiar with Kerberos yet, take the time to learn it - it's not that hard to learn, and it's time well spent.
Also, if you're going to be using AD for Kerberos in a Linux environment, you might want to know about the msktutil, which is a like ktutil, but works with AD Kerberos servers:
https://sourceforge.net/projects/msktutil/
-- Prentice
On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
I am in a environment where we use both OpenLDAP and Active Directory. All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)
This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.
john.smith@example.com
Pass-through authentication should work if you're performing simple binds. Chapter 14 of the admin guide has a good example.
If you're doing sasl binds, use gssapi to authenticate against the AD server directly.
2017-05-29 19:00 GMT+02:00 Dan White dwhite@cafedemocracy.org:
On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
I am in a environment where we use both OpenLDAP and Active Directory. All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)
This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=comWhile the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.
john.smith@example.comPass-through authentication should work if you're performing simple binds. Chapter 14 of the admin guide has a good example.
You can also find a tutorial here: https://ltb-project.org/documentation/general/sasl_delegation
Clément.
openldap-technical@openldap.org
-
Alexandre Rosenberg -
Andreas Hasenack -
Clément OUDOT -
Dan White -
Prentice Bisbal