Heya experts.
I need some guidance. I am having difficulty deploying my requirements. I need to deploy a couple of U18 servers/containers. These servers all needs to authenticate with LDAP accounts that is active and in a certain group on AD, but the IT team doesn't want to allow IPs and ports from servers across the network and so I have to set up a ldap proxy that will speak to AD on behalf of all the other machines eg jumphost. The windows AD cannot be modified to add extra groups eg posixAccount, uidNumber, gidNumber, loginShell, homeDirectory etc.
I can successfully run a ldapsearch from the proxy machine to the AD and query a user based on the sAMAccountName and am getting successful results back from AD. However, when the jumphost (proxy set as ldap authhost) tries to authenticate with the proxy, then I see the request coming in from the jumphost to ldap proxy, and see the ldap proxy sending the request to the windows AD, but it forwards the same details as it sent to the local to the remote; eg objectClass=posixAccount, uid=testuser. This doesn't exist on the AD and so returns no result. I've tried to do rewrites and according to the packet captures, saw that the rewrite was working somewhat. I was able to rewrite uid to sAMAccountName, but not sure what to rewrite the posixAccount to....
So ideally what I'd like to see happening is that :
1) user logs onto jumphost with username "testuser" 2) user lookup & authentication goes to ldap_proxy 3) ldap_proxy send request to AD to check if user exists and is active and match against the password 4) upon username=exists, is=active, password=ok return the result to ldap_proxy 5) ldap_proxy returns the necessary to jumphost eg; a) posixAccount b) homeDirectory c) loginShell
I've tried following a couple of different options to make it work, but right now I'm not sure which option is the correct one eg; (mdb config + ldap backend) or (meta + ldap backend ) or ( ldap + pcache ) and whether to rewrite or not to rewrite. From my understanding, I am looking for something that sounds like a meta setup that combines the local and remote data...is my understanding correct?
I've seen this working at a previous employer but not sure whether their AD was modified and that is why it was working there, or whether the solution is workable without having to force the IT guys' hand and add extra vars..
I've scouted the openldap mailing list as well for answers but there is a plethora of no replies and some replies that somewhat matches what I'm trying to do...
Any guidance would be super appreciated
Am Tue, 1 Oct 2019 18:35:16 +1000 schrieb Drikus Brits drikusinaus@gmail.com:
Heya experts.
I need some guidance. I am having difficulty deploying my requirements. I need to deploy a couple of U18 servers/containers. These servers all needs to authenticate with LDAP accounts that is active and in a certain group on AD, but the IT team doesn't want to allow IPs and ports from servers across the network and so I have to set up a ldap proxy that will speak to AD on behalf of all the other machines eg jumphost. The windows AD cannot be modified to add extra groups eg posixAccount, uidNumber, gidNumber, loginShell, homeDirectory etc.
I can successfully run a ldapsearch from the proxy machine to the AD and query a user based on the sAMAccountName and am getting successful results back from AD. However, when the jumphost (proxy set as ldap authhost) tries to authenticate with the proxy, then I see the request coming in from the jumphost to ldap proxy, and see the ldap proxy sending the request to the windows AD, but it forwards the same details as it sent to the local to the remote; eg objectClass=posixAccount, uid=testuser. This doesn't exist on the AD and so returns no result. I've tried to do rewrites and according to the packet captures, saw that the rewrite was working somewhat. I was able to rewrite uid to sAMAccountName, but not sure what to rewrite the posixAccount to....
So ideally what I'd like to see happening is that :
- user logs onto jumphost with username "testuser"
- user lookup & authentication goes to ldap_proxy
- ldap_proxy send request to AD to check if user exists and is active
and match against the password 4) upon username=exists, is=active, password=ok return the result to ldap_proxy 5) ldap_proxy returns the necessary to jumphost eg; a) posixAccount b) homeDirectory c) loginShell
I've tried following a couple of different options to make it work, but right now I'm not sure which option is the correct one eg; (mdb config + ldap backend) or (meta + ldap backend ) or ( ldap + pcache ) and whether to rewrite or not to rewrite. From my understanding, I am looking for something that sounds like a meta setup that combines the local and remote data...is my understanding correct?
I've seen this working at a previous employer but not sure whether their AD was modified and that is why it was working there, or whether the solution is workable without having to force the IT guys' hand and add extra vars..
I've scouted the openldap mailing list as well for answers but there is a plethora of no replies and some replies that somewhat matches what I'm trying to do...
Any guidance would be super appreciated
Create a private schema based on AD attribute types and load this schema to ldap proxy.
-Dieter
thanks, i'll try that.
On Wed, Oct 2, 2019 at 5:40 PM Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 1 Oct 2019 18:35:16 +1000 schrieb Drikus Brits drikusinaus@gmail.com:
Heya experts.
I need some guidance. I am having difficulty deploying my requirements. I need to deploy a couple of U18 servers/containers. These servers all needs to authenticate with LDAP accounts that is active and in a certain group on AD, but the IT team doesn't want to allow IPs and ports from servers across the network and so I have to set up a ldap proxy that will speak to AD on behalf of all the other machines eg jumphost. The windows AD cannot be modified to add extra groups eg posixAccount, uidNumber, gidNumber, loginShell, homeDirectory etc.
I can successfully run a ldapsearch from the proxy machine to the AD and query a user based on the sAMAccountName and am getting successful results back from AD. However, when the jumphost (proxy set as ldap authhost) tries to authenticate with the proxy, then I see the request coming in from the jumphost to ldap proxy, and see the ldap proxy sending the request to the windows AD, but it forwards the same details as it sent to the local to the remote; eg objectClass=posixAccount, uid=testuser. This doesn't exist on the AD and so returns no result. I've tried to do rewrites and according to the packet captures, saw that the rewrite was working somewhat. I was able to rewrite uid to sAMAccountName, but not sure what to rewrite the posixAccount to....
So ideally what I'd like to see happening is that :
- user logs onto jumphost with username "testuser"
- user lookup & authentication goes to ldap_proxy
- ldap_proxy send request to AD to check if user exists and is active
and match against the password 4) upon username=exists, is=active, password=ok return the result to ldap_proxy 5) ldap_proxy returns the necessary to jumphost eg; a) posixAccount b) homeDirectory c) loginShell
I've tried following a couple of different options to make it work, but right now I'm not sure which option is the correct one eg; (mdb config + ldap backend) or (meta + ldap backend ) or ( ldap + pcache ) and whether to rewrite or not to rewrite. From my understanding, I am looking for something that sounds like a meta setup that combines the local and remote data...is my understanding correct?
I've seen this working at a previous employer but not sure whether their AD was modified and that is why it was working there, or whether the solution is workable without having to force the IT guys' hand and add extra vars..
I've scouted the openldap mailing list as well for answers but there is a plethora of no replies and some replies that somewhat matches what I'm trying to do...
Any guidance would be super appreciated
Create a private schema based on AD attribute types and load this schema to ldap proxy.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
openldap-technical@openldap.org
-
Dieter Klünter -
Drikus Brits