Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication request that receives to the AD DC of the respective user.
This works well with saslauthd for a single domain, but if I need to do this with multiple domains, I don't know how to configure saslauthd.
Can someone help ?
Thank you,
Paulo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication request that receives to the AD DC of the respective user.
This works well with saslauthd for a single domain, but if I need to do this with multiple domains, I don't know how to configure saslauthd.
Windows, and AD utilise kerberos. Just treat your AD servers as KRB5 realms, and it works. both MIT and Hemidal can work with this, so following the passthrough instructions for these will work
Alternatively, you can use AD as an ldap server, but it follows much the same principals.
http://www.openldap.org/doc/admin24/security.html
Can someone help ?
Thank you,
Paulo
William Brown
pgp.mit.edu
Hi William, Maybe I didn't explain myself correctly...... I have no problem in make OpenLDAP work as a consolidation directory for a single Active Directory Forest, and having SASL doing the Passthrough authentication from OpenLdap to the AD Global catalogue......... What I don't know is how can I do it with multiple AD domain Controllers.
Let me give an example :
User: Paulo.Correia Domain Controller : AD.cisco.com UPN : Paulo.Correia@cisco.com
User: William.Brown Domain Controller: AD. mit.edu UPN: William.Brown@mit.edu
Now I want to have a single directory in Open LDAP that will have both of the user and will passthrought the authentication to the original AD's
# Hernani Correia, Users, cisco.com dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Hernani Correia sn: Correia givenName: Hernani userPassword: {SASL}Paulo.Correia@cisco.com userPrincipalName: Paulo.Correia@cisco.com mail: Paulo.Correia@cisco.com
# Hernani Correia, Users, cisco.com dn: CN= William Brown,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: William Brown sn: Brown givenName: William userPassword: {SASL}William.Brown@mit.edu userPrincipalName: William.Brown@mit.edu mail: William.Brown@mit.edu
My problem is that in the /etc/saslauthd.conf I need to static define a single or multiple LDAP for the queries : ldap_servers: ldap://ad-cisco-1.cisco.com ldap_search_base: dc=cisco,dc=com ldap_timeout: 10 ldap_filter: sAMAccountName=%u ldap_bind_dn: cn=Administrator,cn=users,dc=cisco,dc=com ldap_password: Cisco,123 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind
I need to bind based on the domain not a single bind in SASL.
Can you help ?
Paulo
-----Original Message----- From: Indexer [mailto:indexer@internode.on.net] Sent: Monday, November 15, 2010 11:44 AM To: Paulo Jorge N. Correia (paucorre) Cc: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication
request that receives to the AD DC of the respective user.
This works well with saslauthd for a single domain, but if I need to do this with multiple domains, I don't know how to configure
saslauthd.
Windows, and AD utilise kerberos. Just treat your AD servers as KRB5 realms, and it works. both MIT and Hemidal can work with this, so following the passthrough instructions for these will work
Alternatively, you can use AD as an ldap server, but it follows much the same principals.
http://www.openldap.org/doc/admin24/security.html
Can someone help ?
Thank you,
Paulo
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 23:04, Paulo Jorge N. Correia (paucorre) wrote:
# Hernani Correia, Users, cisco.com dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Hernani Correia sn: Correia givenName: Hernani userPassword: {SASL}Paulo.Correia@cisco.com userPrincipalName: Paulo.Correia@cisco.com mail: Paulo.Correia@cisco.com
# Hernani Correia, Users, cisco.com dn: CN= William Brown,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: William Brown sn: Brown givenName: William userPassword: {SASL}William.Brown@mit.edu userPrincipalName: William.Brown@mit.edu mail: William.Brown@mit.edu
I need to bind based on the domain not a single bind in SASL.
Can you help ?
Its good to know for sure what you wanted to do.
Jonathan seemed to have a solution for you.
My answer is to stop using AD as LDAP for authentication, and start treating them as KDC's.
For example on my own server, I have multiple KDC's listed, for users, as in your situation, and each user works.
uid=william,ou=Users userPassword: {SASL}william@CHOCOLATE.LAN
uid=michael,ou=Users userPassword: {SASL}michael@CONCRETE.LAN
In my setup i have in slapd.conf (the sasl slapd.conf)
pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
Then i launch saslauthd with '-a kerberos5' , and there should be a relevant option for this on your distribution of choice.
Finally, i configure my servers krb5.conf (generally /etc/krb5.conf). Default settings are fine for this to use a AD kdc
this is my AD krb5 centre
[realms] CHOCOLATE.LAN = { kdc = beatrice.chocolate.lan } [domain_realm] .firstyear.id.au = CHOCOLATE.LAN
Then, the @REALM attribute on userPassword will respect the relevant KDC (or in this case ADDC) of choice for a user.
Note: Yes, my home krb5 and ldap are chocolate.lan. I couldnt be bothered accessing my work servers.
Paulo
-----Original Message----- From: Indexer [mailto:indexer@internode.on.net] Sent: Monday, November 15, 2010 11:44 AM To: Paulo Jorge N. Correia (paucorre) Cc: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication
request that receives to the AD DC of the respective user.
This works well with saslauthd for a single domain, but if I need to do this with multiple domains, I don't know how to configure
saslauthd.
Windows, and AD utilise kerberos. Just treat your AD servers as KRB5 realms, and it works. both MIT and Hemidal can work with this, so following the passthrough instructions for these will work
Alternatively, you can use AD as an ldap server, but it follows much the same principals.
http://www.openldap.org/doc/admin24/security.html
Can someone help ?
Thank you,
Paulo
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iQIcBAEBAgAGBQJM4R0OAAoJEHF16AnLoz6JlK8QAK0YtQX1y6J/yH1dq36zyr0x p6gA7j6/pWwqzspUcC5srESejrx76Yn9wGOGku3epCu4QwcEtx9MOVPdhmBT9hCk wXUnvP+4ePpo2wAMvrrkv+K0FfNbAQVJt44zGzrGxRrfSVPqkU+B0nsFYCbxjUF0 NHS3p+XRftqnQNOnsH3aNgB5HDnA5romlq3ikdSyUQRIZpt+BD7ueu07BVG5qhFN 6L/rT8JfLI2X/Liw70LeZg1XifZDyOMXfbaj84Q6JeyObdQidPYXKev9Nlm5CDt/ qOh1ZYTPoUuz7oLRjjNEnHXXiSeGB3DeHxoY+wsgnNd9AnLPKHn4xxFz65DQAUva LtJxxFpVOE4uTCTx+Sl58v3qfn87CtxX/EdHw1th25E3L+zh3LCfVG9uRApbwYeI Sb7BH8N7varUnrm1ZoqSZ1EO31jrBNjfqOwXMs7jLJBLlEobPUuX3mk5TehgyrD8 0zLPbaVIzN5Dq/PTG7pT27D/9ABbqTGr0lpridxyDQSzPrBP4Pvx6EdmxqDbuY3n jDW7F3Xixxg0gPoi+/5A9XO7x0nf3TUnV4s9n3gFiRMAAQWs3gks7kgup/+1Rv7k NvDoA7D1j3oaxd2/o+moHRA9Ko7xY5NqJuyJVXRUdKFwiohxN+t1mlsqF4X3oFTv xGxKYpsUBdZMKHONbA7v =X3CH -----END PGP SIGNATURE-----
William Brown
pgp.mit.edu
From a performance perspective which one should be faster =
AD as an LDAP Or AD as a KDC
Paulo
-----Original Message----- From: Indexer [mailto:indexer@internode.on.net] Sent: Monday, November 15, 2010 12:59 PM To: Paulo Jorge N. Correia (paucorre) Cc: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 23:04, Paulo Jorge N. Correia (paucorre) wrote:
# Hernani Correia, Users, cisco.com dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Hernani Correia sn: Correia givenName: Hernani userPassword: {SASL}Paulo.Correia@cisco.com userPrincipalName: Paulo.Correia@cisco.com mail: Paulo.Correia@cisco.com
# Hernani Correia, Users, cisco.com dn: CN= William Brown,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: William Brown sn: Brown givenName: William userPassword: {SASL}William.Brown@mit.edu userPrincipalName: William.Brown@mit.edu mail: William.Brown@mit.edu
I need to bind based on the domain not a single bind in SASL.
Can you help ?
Its good to know for sure what you wanted to do.
Jonathan seemed to have a solution for you.
My answer is to stop using AD as LDAP for authentication, and start treating them as KDC's.
For example on my own server, I have multiple KDC's listed, for users, as in your situation, and each user works.
uid=william,ou=Users userPassword: {SASL}william@CHOCOLATE.LAN
uid=michael,ou=Users userPassword: {SASL}michael@CONCRETE.LAN
In my setup i have in slapd.conf (the sasl slapd.conf)
pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
Then i launch saslauthd with '-a kerberos5' , and there should be a relevant option for this on your distribution of choice.
Finally, i configure my servers krb5.conf (generally /etc/krb5.conf). Default settings are fine for this to use a AD kdc
this is my AD krb5 centre
[realms] CHOCOLATE.LAN = { kdc = beatrice.chocolate.lan } [domain_realm] .firstyear.id.au = CHOCOLATE.LAN
Then, the @REALM attribute on userPassword will respect the relevant KDC (or in this case ADDC) of choice for a user.
Note: Yes, my home krb5 and ldap are chocolate.lan. I couldnt be bothered accessing my work servers.
Paulo
-----Original Message----- From: Indexer [mailto:indexer@internode.on.net] Sent: Monday, November 15, 2010 11:44 AM To: Paulo Jorge N. Correia (paucorre) Cc: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several
AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication
request that receives to the AD DC of the respective user.
This works well with saslauthd for a single domain, but if I need to do this with multiple domains, I don't know how to configure
saslauthd.
Windows, and AD utilise kerberos. Just treat your AD servers as KRB5 realms, and it works. both MIT and Hemidal can work with this, so following the passthrough instructions for these will work
Alternatively, you can use AD as an ldap server, but it follows much the same principals.
http://www.openldap.org/doc/admin24/security.html
Can someone help ?
Thank you,
Paulo
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iQIcBAEBAgAGBQJM4R0OAAoJEHF16AnLoz6JlK8QAK0YtQX1y6J/yH1dq36zyr0x p6gA7j6/pWwqzspUcC5srESejrx76Yn9wGOGku3epCu4QwcEtx9MOVPdhmBT9hCk wXUnvP+4ePpo2wAMvrrkv+K0FfNbAQVJt44zGzrGxRrfSVPqkU+B0nsFYCbxjUF0 NHS3p+XRftqnQNOnsH3aNgB5HDnA5romlq3ikdSyUQRIZpt+BD7ueu07BVG5qhFN 6L/rT8JfLI2X/Liw70LeZg1XifZDyOMXfbaj84Q6JeyObdQidPYXKev9Nlm5CDt/ qOh1ZYTPoUuz7oLRjjNEnHXXiSeGB3DeHxoY+wsgnNd9AnLPKHn4xxFz65DQAUva LtJxxFpVOE4uTCTx+Sl58v3qfn87CtxX/EdHw1th25E3L+zh3LCfVG9uRApbwYeI Sb7BH8N7varUnrm1ZoqSZ1EO31jrBNjfqOwXMs7jLJBLlEobPUuX3mk5TehgyrD8 0zLPbaVIzN5Dq/PTG7pT27D/9ABbqTGr0lpridxyDQSzPrBP4Pvx6EdmxqDbuY3n jDW7F3Xixxg0gPoi+/5A9XO7x0nf3TUnV4s9n3gFiRMAAQWs3gks7kgup/+1Rv7k NvDoA7D1j3oaxd2/o+moHRA9Ko7xY5NqJuyJVXRUdKFwiohxN+t1mlsqF4X3oFTv xGxKYpsUBdZMKHONbA7v =X3CH -----END PGP SIGNATURE-----
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 23:44, Paulo Jorge N. Correia (paucorre) wrote:
From a performance perspective which one should be faster =
AD as an LDAP Or AD as a KDC
I have never tried, nor researched this. Both are extremely fast protocols. In this case, you however have limited options. Again, Johnathan had an idea you may want to look into.
According to http://docs.sun.com/source/820-2550/activedir_auth.html it says "kerberos is faster", but due to the lack of supporting evidence i would take that with a grain of salt.
- From a theoretical, kerberos has less data exchanged, and is somewhat simpler, and so may be faster. The only way to be sure is to test. Remember, no matter how many benchmarks, I or someone else does, the only performance that matters is what you realistically achieve on your own systems.
Paulo
-----Original Message----- From: Indexer [mailto:indexer@internode.on.net] Sent: Monday, November 15, 2010 12:59 PM To: Paulo Jorge N. Correia (paucorre) Cc: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 23:04, Paulo Jorge N. Correia (paucorre) wrote:
# Hernani Correia, Users, cisco.com dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Hernani Correia sn: Correia givenName: Hernani userPassword: {SASL}Paulo.Correia@cisco.com userPrincipalName: Paulo.Correia@cisco.com mail: Paulo.Correia@cisco.com
# Hernani Correia, Users, cisco.com dn: CN= William Brown,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: William Brown sn: Brown givenName: William userPassword: {SASL}William.Brown@mit.edu userPrincipalName: William.Brown@mit.edu mail: William.Brown@mit.edu
I need to bind based on the domain not a single bind in SASL.
Can you help ?
Its good to know for sure what you wanted to do.
Jonathan seemed to have a solution for you.
My answer is to stop using AD as LDAP for authentication, and start treating them as KDC's.
For example on my own server, I have multiple KDC's listed, for users, as in your situation, and each user works.
uid=william,ou=Users userPassword: {SASL}william@CHOCOLATE.LAN
uid=michael,ou=Users userPassword: {SASL}michael@CONCRETE.LAN
In my setup i have in slapd.conf (the sasl slapd.conf)
pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
Then i launch saslauthd with '-a kerberos5' , and there should be a relevant option for this on your distribution of choice.
Finally, i configure my servers krb5.conf (generally /etc/krb5.conf). Default settings are fine for this to use a AD kdc
this is my AD krb5 centre
[realms] CHOCOLATE.LAN = { kdc = beatrice.chocolate.lan } [domain_realm] .firstyear.id.au = CHOCOLATE.LAN
Then, the @REALM attribute on userPassword will respect the relevant KDC (or in this case ADDC) of choice for a user.
Note: Yes, my home krb5 and ldap are chocolate.lan. I couldnt be bothered accessing my work servers.
Paulo
-----Original Message----- From: Indexer [mailto:indexer@internode.on.net] Sent: Monday, November 15, 2010 11:44 AM To: Paulo Jorge N. Correia (paucorre) Cc: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several
AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication
request that receives to the AD DC of the respective user.
This works well with saslauthd for a single domain, but if I need to do this with multiple domains, I don't know how to configure
saslauthd.
Windows, and AD utilise kerberos. Just treat your AD servers as KRB5 realms, and it works. both MIT and Hemidal can work with this, so following the passthrough instructions for these will work
Alternatively, you can use AD as an ldap server, but it follows much the same principals.
http://www.openldap.org/doc/admin24/security.html
Can someone help ?
Thank you,
Paulo
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iQIcBAEBAgAGBQJM4R0OAAoJEHF16AnLoz6JlK8QAK0YtQX1y6J/yH1dq36zyr0x p6gA7j6/pWwqzspUcC5srESejrx76Yn9wGOGku3epCu4QwcEtx9MOVPdhmBT9hCk wXUnvP+4ePpo2wAMvrrkv+K0FfNbAQVJt44zGzrGxRrfSVPqkU+B0nsFYCbxjUF0 NHS3p+XRftqnQNOnsH3aNgB5HDnA5romlq3ikdSyUQRIZpt+BD7ueu07BVG5qhFN 6L/rT8JfLI2X/Liw70LeZg1XifZDyOMXfbaj84Q6JeyObdQidPYXKev9Nlm5CDt/ qOh1ZYTPoUuz7oLRjjNEnHXXiSeGB3DeHxoY+wsgnNd9AnLPKHn4xxFz65DQAUva LtJxxFpVOE4uTCTx+Sl58v3qfn87CtxX/EdHw1th25E3L+zh3LCfVG9uRApbwYeI Sb7BH8N7varUnrm1ZoqSZ1EO31jrBNjfqOwXMs7jLJBLlEobPUuX3mk5TehgyrD8 0zLPbaVIzN5Dq/PTG7pT27D/9ABbqTGr0lpridxyDQSzPrBP4Pvx6EdmxqDbuY3n jDW7F3Xixxg0gPoi+/5A9XO7x0nf3TUnV4s9n3gFiRMAAQWs3gks7kgup/+1Rv7k NvDoA7D1j3oaxd2/o+moHRA9Ko7xY5NqJuyJVXRUdKFwiohxN+t1mlsqF4X3oFTv xGxKYpsUBdZMKHONbA7v =X3CH -----END PGP SIGNATURE-----
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iQIcBAEBAgAGBQJM4S6eAAoJEHF16AnLoz6JXggQAL2visI6hJ4Aqx2gW8NQ9pUn 9CZ3oBPJdaBYQvrnLyqAjGQYZ7fUsYrypuYZMTGVD0mWSfhzs7KT0FIhHAEPuGiu rdH3bfQFb/kkRn2GST2q6rf5DThOZBVLE9jIkGtTnJlHhF/h9lP0WDnKguxsYYaX WuPropxzq5V947sEPGWQC7cAwSTlrcrfhlDjBiOWrXj11SAryE3HRFhZKNz6A/hu wajxBGxAPpKFtw0vPczMIzlbWi/wi7TmcudWHd5ce+LRy7YMJ6ndgKWd/4O2ReNi zIX/flzAupmCYDXD4Y9zhVotOo1jBN7Iv4V2I63vxq/uxdMihHhNIwtSOnP5EHuq VBOEJZz9dnJl7IOC8pwtwX0vdpOV7G4Wr6d3R0OQoE2bUGrNBNGKwPBG5gkiQN4v Uv/OrDJ07+PKSQ+g0CE8iubtyhnX2neU1QTDjZ3PPGkG+l1dyrGp6juv2NfAD5N+ Jlsg5xuxqTbJ+/1mm4szwJEqHrCFBNEeWblCagPdVWVb7x3I7fNpSKCeZgVqC7P4 OWkst3bUY6Ebk6q3qg2B/AQ1snp0EFE9FcqFG+0VQK9KvnRwV6/RTcy05/7fQg+g 7wNdL2VBb/9pYuFi9r23IFuOCkCpu1UJIHTeOCbK2N+RmFQHiGPWOp11LEyVZTRk j2WQWYQWWbltqAe5jVnO =zd2D -----END PGP SIGNATURE-----
William Brown
pgp.mit.edu
On 14/11/10 18:29, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I’m just starting with openLDAP and saslauth, and I’m trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I’m trying to use openldap to aggregate user information from several AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication request that receives to the AD DC of the respective user.
This works well with /saslauthd /for a single domain/, but if I need to do this with multiple domains, I don’t know how to configure saslauthd./
saslauthd can only launch one LDAP search to find a user and check his password. So if you're using several AD domains, you need to be able to perform a single search over all those domains : set up a back-meta with all the AD forests under it, and point saslauthd at that.
Jonathan
Johanathan, I decide to follow both of the options, and test which one is better :) :
1 - back-meta 2 - change the saslauthd from ldap to Kerberos
Regarding back meta I need help :( In the slapd.conf I have an database created for back-meta..... ( strange thing is that it didn't worked when I create a separate conf file per each database "include /etc/openldap/slapd_domain1.conf", only working if I add all the database in the same file as showed below ) No what should I configure in the saslauthd.conf file..... if I direct ldap_servers how does it know which AD is associated with each user ?
________________________________________________________________________ ___
[root@openam-ldap openldap]# more ../saslauthd.conf ldap_servers: ldap://localhost ldap_search_base: dc=cisco,dc=com ldap_timeout: 10 ldap_filter: uid=%u ldap_bind_dn: cn=admin,dc=cisco,dc=com ldap_password: Cisco,123 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind
____________________________________________________________________
[root@openam-ldap openldap]# more slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. #
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/openldap.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
sasl-host localhost sasl-secprops none
database meta suffix "dc=cisco,dc=com"
uri "ldap://localhost/ou=domain1,dc=cisco,dc=com" suffixmassage "ou=domain1,dc=cisco,dc=com" "ou=domain1"
uri "ldap://localhost/ou=domain2,dc=cisco,dc=com" suffixmassage "ou=domain2,dc=cisco,dc=com" "ou=domain2"
database hdb suffix "ou=domain1" directory "/var/lib/ldap/domain1" rootdn "cn=admin,ou=domain1" rootpw "Cisco,123"
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres,sub
database hdb suffix "ou=domain2" directory "/var/lib/ldap/domain2" rootdn "cn=admin,ou=domain2" rootpw "Cisco,123"
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres,sub _______________________________________________________________
Thank you, Paulo
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Jonathan Clarke Sent: Monday, November 15, 2010 12:13 PM To: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
On 14/11/10 18:29, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication
request that receives to the AD DC of the respective user.
This works well with /saslauthd /for a single domain/, but if I need to do this with multiple domains, I don't know how to configure saslauthd./
saslauthd can only launch one LDAP search to find a user and check his password. So if you're using several AD domains, you need to be able to perform a single search over all those domains : set up a back-meta with all the AD forests under it, and point saslauthd at that.
Jonathan
openldap-technical@openldap.org