Hopefully somebody can help as I am new to OpenLDAP and I've spent the whole day being overwhelmed and totally confused by the configration of this beast. (How did it get "Lightweight" as part of its name?)
The problem I have is that I have a group of computers in my research lab at a university that I want to allow login to for campus users. I want to authenticate the logins against the campus LDAP server but I want to augment/add group-membership to the results.
So for instance the campus LDAP server might authenticate a user named "bob" and a unix groups command for bob when logged in would show {"users", "student", "webuser"} but I want my machines to log him with his same campus credentials but see his group membership as {"users", "student", "webuser", "research", "cloud"}.
From what I've read I can do this with the translucent overlay. The problem is that I have no idea how to get this working, let alone interface with the campus LDAP mess.
So far I can get users authenticated and logged in with authentication solely against the campus LDAP server but nothing about the local translucent proxy is even understandable yet testable.
I have Ubuntu 16.04 and I installed ldap/slapd do by essentially doing: apt-get install ldap-auth-client slapd ldap-utils
I see both /etc/ldap/slapd.d and /usr/share/slapd/slapd.conf installed.
And, as I said, I've got the machine configured via ldap.conf to authenticate against the campus LDAP server odir.csun.edu. But none of that even requires slapd installed. . I realize I'll eventually need to configure/understand slapd in order to allow it to authenticate against my local server but I'm totally lost in trying to figure that part out.)
Couple of questions to start: 1) Should I be making configuration changes in /usr/share/slapd/slapd.conf or should I be using the dynamic config thingy and ldapadd/ldapmodify?? Several things I read say use ldapmodify but then EVERY example about translucent proxies that I can find demonstrate with slapd.conf. In fact almost every tutorial I've read is entrenched in slapd.conf.
2) How do I set up translucent overlay to proxy to the campus ldap server without making any changes to the results? If we could start there than maybe I could start getting a handle on at least a little understanding of how this starts to work.
Thanks for any help,
Jeff
On Sat, Oct 22, 2016 at 05:55:40PM -0700, Jeff Wiegley wrote:
Couple of questions to start:
- Should I be making configuration changes in
/usr/share/slapd/slapd.conf or should I be using the dynamic config thingy and ldapadd/ldapmodify??
The default for the slapd package in Debian/Ubuntu is dynamic config, as this is the recommended setup for new installs going forward.
/usr/share/slapd/slapd.conf is a template; if you want to use it, you should copy it to /etc/ldap/slapd.conf, replace the placeholders with your own values, and remove the /etc/ldap/slapd.d the package set up (if both exist, slapd.conf will be ignored in favour of slapd.d).
Please read /usr/share/doc/slapd/README.Debian.gz for some important notes that are specific to how the Debian/Ubuntu package sets things up by default.
I emphasize "by default" as you are totally free to throw out the default arrangements and replace them with your own.
Several things I read say use ldapmodify but then EVERY example about translucent proxies that I can find demonstrate with slapd.conf. In fact almost every tutorial I've read is entrenched in slapd.conf.
Updating the documentation to cn=config style is a work in progress. The contents of config directives are generally the same as for slapd.conf. For determining the structure of entries under cn=config, and the names of attribute types, I suggest looking at the system schema contained in the cn=schema,cn=config entry, where all of the configuration object classes and attribute types will be found, and at the test cases in the tests directory in the source, which cover many common setups.
I don't have time right now to look into your second question enough to give a concrete answer, sorry.
Hope that helps.
openldap-technical@openldap.org
-
Jeff Wiegley -
Ryan Tandy