OpenLDAP as an anonymous bind proxy for Active Directory - openldap-technical

6 Jul 2009


      I have been attempting to configure openldap to act as a proxy for our
corporate Active Directory installation. The idea is, of course, that
users of linux workstations can use their AD credentials. While we are
also experimenting with AD integration using winbind, we also want the
option to use standard LDAP, as it means that the linux workstations do
not have to be joined to the Active Directory domain.
Many previous posts on this forum have been most helpful, (as have posts
to the openldap-software list), and I have our setup working, but there
is one strange problem. I prefer that our linux workstations can connect
to the openldap anonymously, as it means we do not have to have
credentials stored in /etc/ldap.conf. This should not be a problem
as our openldap proxy can have credentials stored for connecting
to the AD server.
But what I find is that when I start the slapd, none of the linux
workstations can connect until I first issue a query to the slapd using
valid credentials.
Eg:
1. Start slapd
/usr/local/libexec/slapd
2. Linux workstations cannot bind anonymously
3. Issue query against slapd
/usr/bin/ldapsearch -H ldap://localhost \
    -D "cn=someuser,ou=Accounts,dc=example,dc=com" \
    -w "secret" -x -s base "(objectclass=*)" namingContext
4. Linux workstations can now bind anonymously
Although there is the obvious work-around that after starting the slapd,
we issue the query above, I would kind of like to know why this is
happening. Maybe there is a better way?
I am using openldap 2.4.16, with ldap and bdb backends, and all overlays.
Operating system is CentOS 5.
Any pointers on how to improve my config would be most welcome.
My slapd.conf:
==== BEGIN slapd.conf ====
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
loglevel 256
monitoring on
defaultsearchbase "dc=example,dc=com"
database        ldap
suffix          "dc=example,dc=com"
uri             "ldap://adserver.example.com"
# Not sure why, but when this is not set, the JDK LDAP browser
# will not connect anonymously about one time in four.
chase-referrals no
# If this is not set, the user cannot connect anonymously.
# The first connection must be bound, but subsequent connections can
# be anonymous. (More investigation required)
rebind-as-user  yes
acl-bind        bindmethod=simple
                binddn="cn=username,ou=Accounts,dc=example,dc=com"
                credentials="secret"
idassert-bind   bindmethod=simple
                binddn="cn=username,ou=Accounts,dc=example,dc=com"
                credentials="secret"
                mode=none
                flags=non-prescriptive
overlay rwm
# Because posixAccount does not exist in the Active Directory schema, we need
# to map to an objectclass that does exist. We could use user, but at this
# time we don't have a schema for the AD 'user' objectclass. It just happens
# that organizationalPerson is defined in our AD.
rwm-map objectclass posixAccount organizationalPerson
rwm-map attribute       homeDirectory unixHomeDirectory
access to dn.subtree="dc=example,dc=com"
        by * read
==== END slapd.conf ====