I'm attempting to use OpenLDAP as a proxy to an Active Directory domain. Using the ldap backend, I'm able to configure the proxy and that configuration seems to be working well. But account entries are frequently moved from ou to ou in a domain and Microsoft permits the bind DN to be a userPrincipalName attribute value of the entry instead of the full DN of the account; this features avoids having to make many bind DN application configuration changes.
With just the ldap backend configured, OpenLDAP rejects the userPrincipalName (UPN) bind DN as an invalid DN. To work around this error, I was trying to see if I could use the rwm overlay to detect the UPN and convert to the actual domain entry DN using an attribute map. If I use the form
mail=UPN
the map works as expected; however, if I only provide the UPN as the bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that the rwm overlay manipulations to not take effect until after the bind DN syntax is checked. I wanted to confirm my suspicion and see if any one else has been able to get a UPN-based bind to work through OpenLDAP.
For reference my slapd.conf configuration is below:
### Schema includes ########################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema
## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload rwm
# Main settings ############################################################### loglevel 8 sizelimit unlimited idletimeout 600 writetimeout 30 allow bind_v2 pidfile /var/openldap/mycompany/var/slapd.pid argsfile /var/openldap/mycompany/var/slapd.args logfile /var/openldap/mycompany/logs/access
TLSCertificateFile /var/openldap/mycompany/certs/Server.pem TLSCertificateKeyFile /var/openldap/mycompany/certs/Server.key TLSCACertificateFile /var/openldap/mycompany/certs/ServerCA.pem
### Rewrite rules #############################################################
# Bind with UPN instead of full DN: we first need # an ldap map that turns attributes into a DN (the # argument used when invoking the map is appended to # the URI and acts as the filter portion)
overlay rwm rwm-suffixMassage "" "dc=mycompany,dc=com" rwm-rewriteMap ldap attr2dn "ldaps://mycompany.com/ou=Domain%20Users,dc=mycompany,dc=com?dn?sub" bindwhen=now version=3 binddn="CN=mybindacct,ou=Domain Users,DC=mycompany,DC=com" credentials=******
# Then we need to detect UPN DN # note that the rule in case of match stops rewriting # In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition.
rwm-rewriteContext bindDN rwm-rewriteRule "^[^=,]+@mycompany.com$" "mail=$0" ":" rwm-rewriteRule "^mail=[^,]+@mycompany.com$" "${attr2dn($0)}" ":@"
### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user uri "ldaps://mycompany.com" suffix "dc=mycompany,dc=com"
Thanks,
Steve Vandenburgh
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Am Sat, 26 Oct 2019 00:28:36 +0000 schrieb "Vandenburgh, Steve Y" Steve.Vandenburgh@centurylink.com:
I'm attempting to use OpenLDAP as a proxy to an Active Directory domain. Using the ldap backend, I'm able to configure the proxy and that configuration seems to be working well. But account entries are frequently moved from ou to ou in a domain and Microsoft permits the bind DN to be a userPrincipalName attribute value of the entry instead of the full DN of the account; this features avoids having to make many bind DN application configuration changes.
With just the ldap backend configured, OpenLDAP rejects the userPrincipalName (UPN) bind DN as an invalid DN. To work around this error, I was trying to see if I could use the rwm overlay to detect the UPN and convert to the actual domain entry DN using an attribute map. If I use the form
mail=UPN
the map works as expected; however, if I only provide the UPN as the bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that the rwm overlay manipulations to not take effect until after the bind DN syntax is checked. I wanted to confirm my suspicion and see if any one else has been able to get a UPN-based bind to work through OpenLDAP.
For reference my slapd.conf configuration is below:
[...] slapd requires part of AD schemas in order to operate back-ldap properly. Thus write a private schema, providing required attribute types and object classes.
-Dieter
--On Saturday, October 26, 2019 9:27 PM +0200 Dieter Klünter dieter@dkluenter.de wrote:
[...] slapd requires part of AD schemas in order to operate back-ldap properly. Thus write a private schema, providing required attribute types and object classes.
The MSUser schema in OpenLDAP master may be useful for this.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks for the tip Quanah (and Dieter). I have added the MSUser schema to the configuration. However, I'm still getting the same behavior. If I use a bind DN like
Mail=myname@mycompany.com
which is potentially a valid DN, the rewriting is applied; however if the bind DN is just the email address e.g.
myname@mycompany.com
then the OpenLDAP returns error 34 (invalid DN). So before I do more troubleshooting, I wanted to ask if the rewrite rules can be applied before the syntax check on the bind DN is done. If the OpenLDAP server always performs the syntax check on the DN before any rewrite rules are applied, then what I'm trying to accomplish (using a Microsoft UPN bind DN) cannot be done.
Thanks again,
Steve Vandenburgh LDAP Directory Services/Identity Management CenturyLink (720)738-2688
-----Original Message----- From: openldap-technical openldap-technical-bounces@openldap.org On Behalf Of Quanah Gibson-Mount Sent: Saturday, October 26, 2019 1:57 PM To: Dieter Klünter dieter@dkluenter.de; openldap-technical@openldap.org Subject: Re: Question about OpenLDAP and rwm overlay
--On Saturday, October 26, 2019 9:27 PM +0200 Dieter Klünter dieter@dkluenter.de wrote:
[...] slapd requires part of AD schemas in order to operate back-ldap properly. Thus write a private schema, providing required attribute types and object classes.
The MSUser schema in OpenLDAP master may be useful for this.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.symas.com&umid=AE42BD9E-95D5-B405-A685-740CAF9B7769&auth=19120be9529b25014b618505cb01789c5433dae7-ad787404dd2d33e665cc543b477f7fd3a84aba08
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
"Vandenburgh, Steve Y" Steve.Vandenburgh@centurylink.com writes:
Thanks for the tip Quanah (and Dieter). I have added the MSUser schema to the configuration. However, I'm still getting the same behavior. If I use a bind DN like
Mail=myname@mycompany.com
which is potentially a valid DN, the rewriting is applied; however if the bind DN is just the email address e.g.
myname@mycompany.com
then the OpenLDAP returns error 34 (invalid DN). So before I do more troubleshooting, I wanted to ask if the rewrite rules can be applied before the syntax check on the bind DN is done. If the OpenLDAP server always performs the syntax check on the DN before any rewrite rules are applied, then what I'm trying to accomplish (using a Microsoft UPN bind DN) cannot be done.
For this sort of DN rewriting slapd.conf(5) provides 'authid-rewrite' or 'olcAuthIdRewrite' in slapd-config(5).
-Dieter
Thanks Dieter. I'm trying to perform a simple bind operation with a UPN and password. Based on this OpenLDAP mail archive: https://openldap-technical.openldap.narkive.com/8IrfS6xa/binding-with-an-e-m... authid-rewrite or olcAuthIdRewrite can only be used to modify the DN for SASL or certificate-based authentication; it can't be used to modify simple bind DNs. Is that still the case? Or is this information now out of date.
Thanks again,
Steve Vandenburgh LDAP Directory Services/Identity Management CenturyLink (720)738-2688
-----Original Message----- From: Dieter Kluenter dieter@dkluenter.de Sent: Monday, October 28, 2019 12:44 PM To: Vandenburgh, Steve Y Steve.Vandenburgh@centurylink.com Cc: openldap-technical@openldap.org Subject: Re: Question about OpenLDAP and rwm overlay
"Vandenburgh, Steve Y" Steve.Vandenburgh@centurylink.com writes:
Thanks for the tip Quanah (and Dieter). I have added the MSUser schema to the configuration. However, I'm still getting the same behavior. If I use a bind DN like
Mail=myname@mycompany.com
which is potentially a valid DN, the rewriting is applied; however if the bind DN is just the email address e.g.
myname@mycompany.com
then the OpenLDAP returns error 34 (invalid DN). So before I do more troubleshooting, I wanted to ask if the rewrite rules can be applied before the syntax check on the bind DN is done. If the OpenLDAP server always performs the syntax check on the DN before any rewrite rules are applied, then what I'm trying to accomplish (using a Microsoft UPN bind DN) cannot be done.
For this sort of DN rewriting slapd.conf(5) provides 'authid-rewrite' or 'olcAuthIdRewrite' in slapd-config(5).
-Dieter
-- Dieter Klünter | Systemberatung https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%... GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Michael,
I know this thread is old, but wanted to follow up by asking: would it be possible to delay the BIND DN syntax check until after rwm manipulations are completed? Unfortunately, there is a lot of client software that is dependent on this quirk but it would be very beneficial to be able to use OpenLDAP as a proxy to AD. I suspect that delaying the syntax check until after rwm manipulations would allow UPN-based authentication to work.
Thanks,
Steve Vandenburgh
-----Original Message----- From: Michael Ströder michael@stroeder.com Sent: Tuesday, October 29, 2019 4:06 PM To: Vandenburgh, Steve Y Steve.Vandenburgh@centurylink.com Cc: openldap-technical@openldap.org Subject: Re: Question about OpenLDAP and rwm overlay
On 10/29/19 4:55 AM, Vandenburgh, Steve Y wrote:
I'm trying to perform a simple bind operation with a UPN and password.
This AD-specific quirk is not possible with OpenLDAP.
Ciao, Michael. This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
On 1/13/20 11:20 PM, Vandenburgh, Steve Y wrote:
I know this thread is old, but wanted to follow up by asking: would it be possible to delay the BIND DN syntax check until after rwm manipulations are completed?
AFAIK it is not possible.
Note that slapo-rwm operates on syntactically correct DNs.
Ciao, Michael.
-----Original Message----- From: Michael Ströder michael@stroeder.com Sent: Tuesday, October 29, 2019 4:06 PM To: Vandenburgh, Steve Y Steve.Vandenburgh@centurylink.com Cc: openldap-technical@openldap.org Subject: Re: Question about OpenLDAP and rwm overlay
On 10/29/19 4:55 AM, Vandenburgh, Steve Y wrote:
I'm trying to perform a simple bind operation with a UPN and password.
This AD-specific quirk is not possible with OpenLDAP.
Ciao, Michael.
On Mon, Jan 13, 2020 at 10:20:07PM +0000, Vandenburgh, Steve Y wrote:
Michael,
I know this thread is old, but wanted to follow up by asking: would it be possible to delay the BIND DN syntax check until after rwm manipulations are completed? Unfortunately, there is a lot of client software that is dependent on this quirk but it would be very beneficial to be able to use OpenLDAP as a proxy to AD. I suspect that delaying the syntax check until after rwm manipulations would allow UPN-based authentication to work.
Hi Steve, DN validation for binds/search bases/... happens way too early in the frontend for this to be possible. Same reason why you can't write a slapd module to handle the magic '<GUID=...>' AD DNs.
Regards,
openldap-technical@openldap.org
-
Dieter Kluenter -
Dieter Klünter
-
Michael Ströder -
Ondřej Kuzník -
Quanah Gibson-Mount -
Vandenburgh, Steve Y