Hi all.
So, I'm trying to basically put a band-aid over an intentionally broken LDAP implementation. We use Okta as our single source of truth for directory services, and its implementation of LDAP intentionally leaves out uidNumber and gidNumber (and you can't change this) in order to force you to use their insanely expensive "Advanced Server Access" product. This $9500/yr expense for a minimum of 50 machines is a non-starter for the lab project we are trying to get working with LDAP. We're only talking about ~10 machines here and we very much want them to be ultimately authenticating against Okta for their passwords -- because this automatically MFAs them by default, and prevents credential proliferation for the services we run in the lab.
So basically what I want to do is set up an LDAP server which passes just about everything through to Okta, but keeps consistent uidNumber and gidNumber values for each user in Okta who logs in.
I think this is possible either with the "meta" backend or the "ldap" backend or both, but I'm not clear on how to configure these. I've followed this guide to get OpenLDAP working on a Rocky 8 server: https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/
But that guide does not contain instructions for something like this, and even the OpenLDAP documentation is scarce when it comes to configuring backends. e.g.: https://www.openldap.org/doc/admin26/backends.html#LDAP even just for LDAP there is no indication of how I would introduce the bind DN for the backend LDAP or how it would know what to add, and the "meta" backend has no implementation details at all: https://www.openldap.org/doc/admin26/backends.html#Metadirectory
Help?
Thanks!
Le 16/06/2022 à 09:25, jarett@bioteam.net a écrit :
Hi all.
So, I'm trying to basically put a band-aid over an intentionally broken LDAP implementation. We use Okta as our single source of truth for directory services, and its implementation of LDAP intentionally leaves out uidNumber and gidNumber (and you can't change this) in order to force you to use their insanely expensive "Advanced Server Access" product. This $9500/yr expense for a minimum of 50 machines is a non-starter for the lab project we are trying to get working with LDAP. We're only talking about ~10 machines here and we very much want them to be ultimately authenticating against Okta for their passwords -- because this automatically MFAs them by default, and prevents credential proliferation for the services we run in the lab.
So basically what I want to do is set up an LDAP server which passes just about everything through to Okta, but keeps consistent uidNumber and gidNumber values for each user in Okta who logs in.
I think this is possible either with the "meta" backend or the "ldap" backend or both, but I'm not clear on how to configure these. I've followed this guide to get OpenLDAP working on a Rocky 8 server: https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/
But that guide does not contain instructions for something like this, and even the OpenLDAP documentation is scarce when it comes to configuring backends. e.g.: https://www.openldap.org/doc/admin26/backends.html#LDAP even just for LDAP there is no indication of how I would introduce the bind DN for the backend LDAP or how it would know what to add, and the "meta" backend has no implementation details at all: https://www.openldap.org/doc/admin26/backends.html#Metadirectory
Hello Jarett,
another approach would be to create a local OpenLDAP server and synchronize it with Okta LDAP server with LSC: https://lsc-project.org/
You will then be able to easily manage local attributes.
jarett@bioteam.net wrote:
Hi all.
So, I'm trying to basically put a band-aid over an intentionally broken LDAP implementation. We use Okta as our single source of truth for directory services, and its implementation of LDAP intentionally leaves out uidNumber and gidNumber (and you can't change this) in order to force you to use their insanely expensive "Advanced Server Access" product. This $9500/yr expense for a minimum of 50 machines is a non-starter for the lab project we are trying to get working with LDAP. We're only talking about ~10 machines here and we very much want them to be ultimately authenticating against Okta for their passwords -- because this automatically MFAs them by default, and prevents credential proliferation for the services we run in the lab.
So basically what I want to do is set up an LDAP server which passes just about everything through to Okta, but keeps consistent uidNumber and gidNumber values for each user in Okta who logs in.
I think this is possible either with the "meta" backend or the "ldap" backend or both, but I'm not clear on how to configure these. I've followed this guide to get OpenLDAP working on a Rocky 8 server: https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/
But that guide does not contain instructions for something like this, and even the OpenLDAP documentation is scarce when it comes to configuring backends. e.g.: https://www.openldap.org/doc/admin26/backends.html#LDAP even just for LDAP there is no indication of how I would introduce the bind DN for the backend LDAP or how it would know what to add, and the "meta" backend has no implementation details at all: https://www.openldap.org/doc/admin26/backends.html#Metadirectory
Implementation examples are in the test suite.
You probably want to use slapo-translucent to maintain the local attributes.
Help?
Thanks!
openldap-technical@openldap.org
-
Clément OUDOT -
Howard Chu -
jarett@bioteam.net