7:36 a.m.
Hello,
I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user
group, unix group (...)
I would like to keep everything the same except that when the user bind
to OpenLDAP the credential should be checked against Active Directory.
There is no need to retrieve/return any information from Active
Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be
performed against the AD but the search result should from OpenLDAP.
(anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01
long username: john.smith(a)example.com
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD,
only the "DN" is simply set to the username.
john.smith(a)example.com
I am starting to seriously look at the various OpenLDAP overlay and
proxy functionality but I am a bit confused on how to archive this.
Best regards,
Alexandre
7:48 a.m.
On Mon, May 29, 2017 at 11:36 AM, Alexandre Rosenberg <arekkusu(a)r42.ch>
wrote:
Hello,
I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user group,
unix group (...)
I would like to keep everything the same except that when the user bind to
OpenLDAP the credential should be checked against Active Directory.
There is no need to retrieve/return any information from Active Directory
except for the authentication.
This means that if perform a BIND and a search, the BIND should be
performed against the AD but the search result should from OpenLDAP.
(anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01
long username: john.smith(a)example.com
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD, only
the "DN" is simply set to the username.
john.smith(a)example.com
I am starting to seriously look at the various OpenLDAP overlay and proxy
functionality but I am a bit confused on how to archive this.
Have you looked into authenticating using GSSAPI (kerberos)? Your AD is
your kerberos server. Then all you need is an openldap service user in AD
and you are done.
If you have ACLs in openldap that rely on the openldap-stored user DN
(uid=john01, ...), you can use authz-regexp to map the kerberos sasl entity
to that probably.
11:42 a.m.
On 05/29/2017 10:48 AM, Andreas Hasenack wrote:
On Mon, May 29, 2017 at 11:36 AM, Alexandre Rosenberg
<arekkusu(a)r42.ch
<mailto:arekkusu@r42.ch>> wrote:
Hello,
I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user
group, unix group (...)
I would like to keep everything the same except that when the user
bind to OpenLDAP the credential should be checked against Active
Directory.
There is no need to retrieve/return any information from Active
Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be
performed against the AD but the search result should from
OpenLDAP. (anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01
long username: john.smith(a)example.com
<mailto:john.smith@example.com>
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to
AD, only the "DN" is simply set to the username.
john.smith(a)example.com <mailto:john.smith@example.com>
I am starting to seriously look at the various OpenLDAP overlay
and proxy functionality but I am a bit confused on how to archive
this.
Have you looked into authenticating using GSSAPI (kerberos)? Your AD
is your kerberos server. Then all you need is an openldap service user
in AD and you are done.
If you have ACLs in openldap that rely on the openldap-stored user DN
(uid=john01, ...), you can use authz-regexp to map the kerberos sasl
entity to that probably.
+1 That's exactly how we do it here, and it works great. If you're not
familiar with Kerberos yet, take the time to learn it - it's not that
hard to learn, and it's time well spent.
Also, if you're going to be using AD for Kerberos in a Linux
environment, you might want to know about the msktutil, which is a like
ktutil, but works with AD Kerberos servers:
https://sourceforge.net/projects/msktutil/
--
Prentice
10 a.m.
On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
I am in a environment where we use both OpenLDAP and Active
Directory.
All Linux servers authenticate against OpenLDAP where we have user
group, unix group (...)
This means that if perform a BIND and a search, the BIND should be
performed against the AD but the search result should from OpenLDAP.
(anonymous search is fine)
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD,
only the "DN" is simply set to the username.
john.smith(a)example.com
Pass-through authentication should work if you're performing simple binds.
Chapter 14 of the admin guide has a good example.
If you're doing sasl binds, use gssapi to authenticate against the AD
server directly.
--
Dan White
11:43 a.m.
2017-05-29 19:00 GMT+02:00 Dan White <dwhite(a)cafedemocracy.org>:
On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
>
> I am in a environment where we use both OpenLDAP and Active Directory.
> All Linux servers authenticate against OpenLDAP where we have user group,
> unix group (...)
> This means that if perform a BIND and a search, the BIND should be
> performed against the AD but the search result should from OpenLDAP.
> (anonymous search is fine)
> The short username are used in in OpenLDAP like this:
>
> uid=john01,ou=People,dc=example,dc=com
>
> While the AD uses the long username. From my test when binding to AD, only
> the "DN" is simply set to the username.
>
> john.smith(a)example.com
Pass-through authentication should work if you're performing simple binds.
Chapter 14 of the admin guide has a good example.
You can also find a tutorial here:
https://ltb-project.org/documentation/general/sasl_delegation
Clément.
2198
days inactive
2200
days old
openldap-technical@openldap.org
4 comments
5 participants
participants (5)
-
Alexandre Rosenberg -
Andreas Hasenack -
Clément OUDOT -
Dan White -
Prentice Bisbal