Hi,
Trying to get pass-through authentication working however, I'm running to the following error in OpenLDAP:
openldap | 679ceede.3aa31e0a 0x7f2ff617e6c0 conn=1004 op=1 SRCH attr=uid mail displayName
openldap | 679ceede.3aa4b816 0x7f2ff617e6c0 conn=1004 op=1 SEARCH RESULT
tag=101 err=0 qtime=0.000019 etime=0.000172 nentries=1 text=
openldap | 679ceede.3aaafd88 0x7f2ff597d6c0 conn=1005 fd=14 ACCEPT from
IP=172.16.32.1:47082 (IP=0.0.0.0:1389)
openldap | 679ceede.3aab8f34 0x7f2ff597d6c0 conn=1005 op=0 BIND dn="cn=username@domain.tld,ou=users,dc=domain,dc=local mailto:cn=username@domain.tld,ou=users,dc=domain,dc=local " method=128
openldap | 679ceede.3aac9267 0x7f2ff597d6c0 SASL [conn=1005] Failure: cannot connect to saslauthd server: No such file or directory
openldap | 679ceede.3aad25b9 0x7f2ff597d6c0 conn=1005 op=0 RESULT tag=97
err=49 qtime=0.000005 etime=0.000120 text=
openldap | 679ceede.3ab0191f 0x7f2ff617e6c0 conn=1005 fd=14 closed (connection lost)
openldap | 679ceede.3ab3d76a 0x7f2ff597d6c0 conn=1004 fd=13 closed (connection lost)
I followed the admin docs at:
https://www.openldap.org/doc/admin26/guide.html#Pass-Through%20authenticatio
n
Here's what I did:
Created /usr/lib/sasl2/slapd.conf with the following content:
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/sasl2/mux
Created /etc/saslauthd.conf with the following content:
ldap_servers: ldap://192.168.xxx.xxx.xxx
ldap_search_base: OU=Users,DC=domain,DC=tld
ldap_filter: (uid=%u)
ldap_bind_dn: CN=saslauthd,CN=Users,DC=domain,DC=tld
ldap_password: somepassword
Added a user that already exists in domain.tld in openldap with the following password:
{SASL}username@domain.tld mailto:%7bSASL%7dusername@domain.tld
I would appreciate some help on this.
Thanks
Le 04/02/2025 à 19:35, Dino Edwards a écrit :
Hi,
Trying to get pass-through authentication working however, I'm running to the following error in OpenLDAP:
openldap | 679ceede.3aa31e0a 0x7f2ff617e6c0 conn=1004 op=1 SRCH attr=uid mail displayName
openldap | 679ceede.3aa4b816 0x7f2ff617e6c0 conn=1004 op=1 SEARCH RESULT
tag=101 err=0 qtime=0.000019 etime=0.000172 nentries=1 text=
openldap | 679ceede.3aaafd88 0x7f2ff597d6c0 conn=1005 fd=14 ACCEPT from
IP=172.16.32.1:47082 (IP=0.0.0.0:1389)
openldap | 679ceede.3aab8f34 0x7f2ff597d6c0 conn=1005 op=0 BIND dn="cn=username@domain.tld,ou=users,dc=domain,dc=local" method=128
openldap | 679ceede.3aac9267 0x7f2ff597d6c0 SASL [conn=1005] Failure: cannot connect to saslauthd server: No such file or directory
openldap | 679ceede.3aad25b9 0x7f2ff597d6c0 conn=1005 op=0 RESULT tag=97
err=49 qtime=0.000005 etime=0.000120 text=
openldap | 679ceede.3ab0191f 0x7f2ff617e6c0 conn=1005 fd=14 closed (connection lost)
openldap | 679ceede.3ab3d76a 0x7f2ff597d6c0 conn=1004 fd=13 closed (connection lost)
I followed the admin docs at:
https://www.openldap.org/doc/admin26/guide.html#Pass-Through%20authenticatio
n
Here's what I did:
Created /usr/lib/sasl2/slapd.conf with the following content:
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/sasl2/mux
Created /etc/saslauthd.conf with the following content:
ldap_servers: ldap://192.168.xxx.xxx.xxx
ldap_search_base: OU=Users,DC=domain,DC=tld
ldap_filter: (uid=%u)
ldap_bind_dn: CN=saslauthd,CN=Users,DC=domain,DC=tld
ldap_password: somepassword
Added a user that already exists in domain.tld in openldap with the following password:
{SASL}username@domain.tld mailto:%7bSASL%7dusername@domain.tld
I would appreciate some help on this.
Thanks
Did you configured olcSaslHost and olcSaslSecprops?
You can look at this documentation we wrote for LDAP Tool Box project: https://ltb-project.org/documentation/sasl_delegation.html
--On Tuesday, February 4, 2025 1:35 PM -0500 Dino Edwards dino.edwards@mydirectmail.net wrote:
Hi,
Trying to get pass-through authentication working however, I'm running to the following error in OpenLDAP:
Is the system it supposed to auth against another ldap server? If so I would recommend slapo-remoteauth instead:
--Quanah
Trying to get pass-through authentication working however, I'm running to the following error in OpenLDAP:
Is the system it supposed to auth against another ldap server? If so I
would recommend slapo-remoteauth instead:
Hi, thanks for replying.
Yes the plan is to auth against AD. I didn't even know about remoteauth which looks much simpler to implement. The problem I'm facing is that I'm attempting to utilize the bitnami openldap container to accomplish this and the documentation you pointed to talks about editing the slapd.conf file which the bitnami container does not utilize. Instead it utilizes the dynamic runtime configuration engine for config flexibility which requires a LDIF database instead. I'm not familiar enough with openldap to configure that.
--On Tuesday, February 11, 2025 6:47 AM -0500 Dino Edwards dino.edwards@mydirectmail.net wrote:
Trying to get pass-through authentication working however, I'm running to the following error in OpenLDAP:
Is the system it supposed to auth against another ldap server? If so I
would recommend slapo-remoteauth instead:
Hi, thanks for replying.
Yes the plan is to auth against AD. I didn't even know about remoteauth which looks much simpler to implement. The problem I'm facing is that I'm attempting to utilize the bitnami openldap container to accomplish this and the documentation you pointed to talks about editing the slapd.conf file which the bitnami container does not utilize. Instead it utilizes the dynamic runtime configuration engine for config flexibility which requires a LDIF database instead. I'm not familiar enough with openldap to configure that.
I would suggest you start with a local installation and then adapt the container configuration from there.
But here's an example for cn-config, you'd probably have to adjust for your own environment.
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthTLS: starttls=yes tls_reqcert=never olcRemoteAuthMapping: default ldaps://ad.example.com:636 olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: maildrop olcRemoteAuthDefaultDomain: default olcRemoteAuthDefaultRealm: ldaps://ad.example.com:636 olcRemoteAuthStore: FALSE olcRemoteAuthRetryCount: 3
--Quanah
But here's an example for cn-config, you'd probably have to adjust for
your own environment.
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthTLS: starttls=yes tls_reqcert=never olcRemoteAuthMapping: default ldaps://ad.example.com:636 olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: maildrop olcRemoteAuthDefaultDomain: default olcRemoteAuthDefaultRealm: ldaps://ad.example.com:636 olcRemoteAuthStore: FALSE olcRemoteAuthRetryCount: 3
I tried loading the example below as a remoteauth.ldif file but I got the following errors. Guessing the DN is wrong here?
67ac865a.098ae3bb 0x7eff0a2166c0 connection_input: conn=1005 deferring operation: binding 67ac865a.098c174e 0x7eff0aa176c0 conn=1005 op=1 ADD dn="olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config" 67ac865a.098cea57 0x7eff0aa176c0 conn=1005 op=1 RESULT tag=105 err=21 qtime=0.000066 etime=0.000133 text=objectClass: value #1 invalid per syntax ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax 67ac865a.098d6d29 0x7eff0a2166c0 conn=1005 op=2 UNBIND adding new entry "olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config"
Thanks
--On Wednesday, February 12, 2025 6:38 AM -0500 Dino Edwards dino.edwards@mydirectmail.net wrote:
But here's an example for cn-config, you'd probably have to adjust for
your own environment.
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthTLS: starttls=yes tls_reqcert=never olcRemoteAuthMapping: default ldaps://ad.example.com:636 olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: maildrop olcRemoteAuthDefaultDomain: default olcRemoteAuthDefaultRealm: ldaps://ad.example.com:636 olcRemoteAuthStore: FALSE olcRemoteAuthRetryCount: 3
I tried loading the example below as a remoteauth.ldif file but I got the following errors. Guessing the DN is wrong here?
67ac865a.098ae3bb 0x7eff0a2166c0 connection_input: conn=1005 deferring operation: binding 67ac865a.098c174e 0x7eff0aa176c0 conn=1005 op=1 ADD dn="olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config" 67ac865a.098cea57 0x7eff0aa176c0 conn=1005 op=1 RESULT tag=105 err=21 qtime=0.000066 etime=0.000133 text=objectClass: value #1 invalid per syntax ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax 67ac865a.098d6d29 0x7eff0a2166c0 conn=1005 op=2 UNBIND adding new entry "olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config"
As I said, you'll need to adjust for your environment. You also will likley need to moduleload the remoteauth overlay.
--Quanah
As I said, you'll need to adjust for your environment. You also will
likley need to
moduleload the remoteauth overlay.
Thanks I appreciate you taking the time to assist. Trying to wrap my head around all this. The olcRemoteAuthDNAttribute: seeAlso, is that a an attribute that's supposed to be present in my LDAP structure?
The documentation is not very clear on this. Let's say I need to authenticate against an AD domain with the following settings over 389 or 636:
Domain server: dc01.domain.tld
What exactly do I need to put in the remoteauth.ldif file?
I have the following but it's not even trying to authenticate with the remote server. It simply fails auth. I have added the user in openldap with the UserPassword value empty:
dn: cn=module{2},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/bitnami/openldap/lib/openldap olcModuleLoad: remoteauth.so
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthTLS: starttls=yes tls_reqcert=never olcRemoteAuthMapping: default ldap://dc01.domain.tld:389 olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: maildrop olcRemoteAuthDefaultDomain: default olcRemoteAuthDefaultRealm: ldap://dc01.domain.tld:389 olcRemoteAuthStore: FALSE olcRemoteAuthRetryCount: 3
Thanks
I cannot figure out how to get remoteauth to work. I would appreciate some help. I'm trying to use remoteauth against an AD domain. Using the docs and the examples, this is the config that I have but it's not authenticating to the AD domain:
remoteauth.ldif
dn: cn=module{2},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/bitnami/openldap/lib/openldap olcModuleLoad: remoteauth.so
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: o olcRemoteAuthDefaultRealm: thedomain olcRemoteAuthMapping: thedomain ldap://dc01.domain.tld:389 olcRemoteAuthTLS: starttls=no tls_reqcert=never olcRemoteAuthRetryCount: 3
This is the remote user config in openldap:
dn: cn=username@domain.tld,ou=users,dc=localdomain,dc=local objectClass: inetOrgPerson cn: username@domain.tld sn: Smoe displayName: Joe Smoe givenName: Joe mail: username@domain.tld o: thedomain:username seeAlso: cn=Joe Smoe,ou=Openldap Users,dc=deeztek,dc=com uid: username@domain.tld userPassword::
Thanks
Thanks
--On Thursday, February 20, 2025 9:27 AM -0500 Dino Edwards dino.edwards@mydirectmail.net wrote:
I cannot figure out how to get remoteauth to work. I would appreciate some help. I'm trying to use remoteauth against an AD domain. Using the docs and the examples, this is the config that I have but it's not authenticating to the AD domain:
olcRemoteAuthTLS: starttls=no tls_reqcert=never
AD pretty much always requires TLS, but you've turned it off entirely. I would expect this to fail.
You either need to use ldaps:// + port 636 & starttls=no
OR
ldap:// + port 389
and starttls=yes
--Quanah
Can you explain the intentions for " olcRemoteAuthTLS: starttls=yes tls_reqcert=never"? Starting TLS without a certificate? Do you expect encryption then?
Kind regards, Ulrich Windl
-----Original Message----- From: Dino Edwards dino.edwards@mydirectmail.net Sent: Wednesday, February 12, 2025 12:39 PM To: 'Quanah Gibson-Mount' quanah@fast-mail.org; openldap- technical@openldap.org Subject: [EXT] RE: OpenLDAP Pass-through Authentication
But here's an example for cn-config, you'd probably have to adjust for
your own environment.
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRemoteAuthCfg olcOverlay: {6}remoteauth olcRemoteAuthTLS: starttls=yes tls_reqcert=never olcRemoteAuthMapping: default ldaps://ad.example.com:636 olcRemoteAuthDNAttribute: seeAlso olcRemoteAuthDomainAttribute: maildrop olcRemoteAuthDefaultDomain: default olcRemoteAuthDefaultRealm: ldaps://ad.example.com:636 olcRemoteAuthStore: FALSE olcRemoteAuthRetryCount: 3
I tried loading the example below as a remoteauth.ldif file but I got the following errors. Guessing the DN is wrong here?
67ac865a.098ae3bb 0x7eff0a2166c0 connection_input: conn=1005 deferring operation: binding 67ac865a.098c174e 0x7eff0aa176c0 conn=1005 op=1 ADD dn="olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config" 67ac865a.098cea57 0x7eff0aa176c0 conn=1005 op=1 RESULT tag=105 err=21 qtime=0.000066 etime=0.000133 text=objectClass: value #1 invalid per syntax ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax 67ac865a.098d6d29 0x7eff0a2166c0 conn=1005 op=2 UNBIND adding new entry "olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config"
Thanks
--On Friday, February 14, 2025 7:01 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Can you explain the intentions for " olcRemoteAuthTLS: starttls=yes tls_reqcert=never"? Starting TLS without a certificate? Do you expect encryption then?
Just means it doesn't check the cert for validity AFAIK. AD often uses its own cert system so the end client may not be aware of the CA chain for the provided cert on the AD server.
--Quanah
openldap-technical@openldap.org
-
Clément OUDOT -
Dino Edwards -
Quanah Gibson-Mount -
Windl, Ulrich