5:28 p.m.
I'm attempting to use OpenLDAP as a proxy to an Active Directory domain. Using the
ldap backend, I'm able to configure the proxy and that configuration seems to be
working well. But account entries are frequently moved from ou to ou in a domain and
Microsoft permits the bind DN to be a userPrincipalName attribute value of the entry
instead of the full DN of the account; this features avoids having to make many bind DN
application configuration changes.
With just the ldap backend configured, OpenLDAP rejects the userPrincipalName (UPN) bind
DN as an invalid DN. To work around this error, I was trying to see if I could use the
rwm overlay to detect the UPN and convert to the actual domain entry DN using an
attribute map. If I use the form
mail=UPN
the map works as expected; however, if I only provide the UPN as the bind DN, OpenLDAP
still rejects it as an invalid DN. I suspect that the rwm overlay manipulations to not
take effect until after the bind DN syntax is checked. I wanted to confirm my suspicion
and see if any one else has been able to get a UPN-based bind to work through OpenLDAP.
For reference my slapd.conf configuration is below:
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload rwm
# Main settings ###############################################################
loglevel 8
sizelimit unlimited
idletimeout 600
writetimeout 30
allow bind_v2
pidfile /var/openldap/mycompany/var/slapd.pid
argsfile /var/openldap/mycompany/var/slapd.args
logfile /var/openldap/mycompany/logs/access
TLSCertificateFile /var/openldap/mycompany/certs/Server.pem
TLSCertificateKeyFile /var/openldap/mycompany/certs/Server.key
TLSCACertificateFile /var/openldap/mycompany/certs/ServerCA.pem
### Rewrite rules #############################################################
# Bind with UPN instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# argument used when invoking the map is appended to
# the URI and acts as the filter portion)
overlay rwm
rwm-suffixMassage "" "dc=mycompany,dc=com"
rwm-rewriteMap ldap attr2dn
"ldaps://mycompany.com/ou=Domain%20Users,dc=mycompany,dc=com?dn?sub"
bindwhen=now version=3 binddn="CN=mybindacct,ou=Domain
Users,DC=mycompany,DC=com" credentials=******
# Then we need to detect UPN DN
# note that the rule in case of match stops rewriting
# In case we are mapping virtual
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDN
# rewrite context overrides the default definition.
rwm-rewriteContext bindDN
rwm-rewriteRule "^[^=,]+(a)mycompany.com$" "mail=$0" ":"
rwm-rewriteRule "^mail=[^,]+(a)mycompany.com$" "${attr2dn($0)}"
":@"
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldaps://mycompany.com"
suffix "dc=mycompany,dc=com"
Thanks,
Steve Vandenburgh
This communication is the property of CenturyLink and may contain confidential or
privileged information. Unauthorized use of this communication is strictly prohibited and
may be unlawful. If you have received this communication in error, please immediately
notify the sender by reply e-mail and destroy all copies of the communication and any
attachments.
11:27 a.m.
Am Sat, 26 Oct 2019 00:28:36 +0000
schrieb "Vandenburgh, Steve Y" <Steve.Vandenburgh(a)centurylink.com>:
I'm attempting to use OpenLDAP as a proxy to an Active Directory
domain. Using the ldap backend, I'm able to configure the proxy and
that configuration seems to be working well. But account entries
are frequently moved from ou to ou in a domain and Microsoft permits
the bind DN to be a userPrincipalName attribute value of the entry
instead of the full DN of the account; this features avoids having to
make many bind DN application configuration changes.
With just the ldap backend configured, OpenLDAP rejects the
userPrincipalName (UPN) bind DN as an invalid DN. To work around
this error, I was trying to see if I could use the rwm overlay to
detect the UPN and convert to the actual domain entry DN using an
attribute map. If I use the form
mail=UPN
the map works as expected; however, if I only provide the UPN as the
bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that
the rwm overlay manipulations to not take effect until after the bind
DN syntax is checked. I wanted to confirm my suspicion and see if
any one else has been able to get a UPN-based bind to work through
OpenLDAP.
For reference my slapd.conf configuration is below:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
12:57 p.m.
--On Saturday, October 26, 2019 9:27 PM +0200 Dieter Klünter
<dieter(a)dkluenter.de> wrote:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.
The MSUser schema in OpenLDAP master may be useful for this.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
11:21 a.m.
Thanks for the tip Quanah (and Dieter). I have added the MSUser schema to the
configuration. However, I'm still getting the same behavior. If I use a bind DN
like
Mail=myname(a)mycompany.com
which is potentially a valid DN, the rewriting is applied; however if the bind DN is just
the email address e.g.
myname(a)mycompany.com
then the OpenLDAP returns error 34 (invalid DN). So before I do more troubleshooting, I
wanted to ask if the rewrite rules can be applied before the syntax check on the bind DN
is done. If the OpenLDAP server always performs the syntax check on the DN before any
rewrite rules are applied, then what I'm trying to accomplish (using a Microsoft UPN
bind DN) cannot be done.
Thanks again,
Steve Vandenburgh
LDAP Directory Services/Identity Management
CenturyLink
(720)738-2688
-----Original Message-----
From: openldap-technical <openldap-technical-bounces(a)openldap.org> On Behalf Of
Quanah Gibson-Mount
Sent: Saturday, October 26, 2019 1:57 PM
To: Dieter Klünter <dieter(a)dkluenter.de>; openldap-technical(a)openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay
--On Saturday, October 26, 2019 9:27 PM +0200 Dieter Klünter <dieter(a)dkluenter.de>
wrote:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.
The MSUser schema in OpenLDAP master may be useful for this.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%...
This communication is the property of CenturyLink and may contain confidential or
privileged information. Unauthorized use of this communication is strictly prohibited and
may be unlawful. If you have received this communication in error, please immediately
notify the sender by reply e-mail and destroy all copies of the communication and any
attachments.
11:44 a.m.
"Vandenburgh, Steve Y" <Steve.Vandenburgh(a)centurylink.com> writes:
Thanks for the tip Quanah (and Dieter). I have added the MSUser
schema to the configuration. However, I'm still getting the same
behavior. If I use a bind DN like
Mail=myname(a)mycompany.com
which is potentially a valid DN, the rewriting is applied; however if
the bind DN is just the email address e.g.
myname(a)mycompany.com
then the OpenLDAP returns error 34 (invalid DN). So before I do more
troubleshooting, I wanted to ask if the rewrite rules can be applied
before the syntax check on the bind DN is done. If the OpenLDAP
server always performs the syntax check on the DN before any rewrite
rules are applied, then what I'm trying to accomplish (using a
Microsoft UPN bind DN) cannot be done.
For this sort of DN rewriting slapd.conf(5) provides
'authid-rewrite' or 'olcAuthIdRewrite' in slapd-config(5).
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
8:55 p.m.
Thanks Dieter. I'm trying to perform a simple bind operation with a UPN and password.
Based on this OpenLDAP mail archive:
https://openldap-technical.openldap.narkive.com/8IrfS6xa/binding-with-an-...
authid-rewrite or olcAuthIdRewrite can only be used to modify the DN for SASL or
certificate-based authentication; it can't be used to modify simple bind DNs. Is that
still the case? Or is this information now out of date.
Thanks again,
Steve Vandenburgh
LDAP Directory Services/Identity Management
CenturyLink
(720)738-2688
-----Original Message-----
From: Dieter Kluenter <dieter(a)dkluenter.de>
Sent: Monday, October 28, 2019 12:44 PM
To: Vandenburgh, Steve Y <Steve.Vandenburgh(a)centurylink.com>
Cc: openldap-technical(a)openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay
"Vandenburgh, Steve Y" <Steve.Vandenburgh(a)centurylink.com> writes:
Thanks for the tip Quanah (and Dieter). I have added the MSUser
schema to the configuration. However, I'm still getting the same
behavior. If I use a bind DN like
Mail=myname(a)mycompany.com
which is potentially a valid DN, the rewriting is applied; however if
the bind DN is just the email address e.g.
myname(a)mycompany.com
then the OpenLDAP returns error 34 (invalid DN). So before I do more
troubleshooting, I wanted to ask if the rewrite rules can be applied
before the syntax check on the bind DN is done. If the OpenLDAP
server always performs the syntax check on the DN before any rewrite
rules are applied, then what I'm trying to accomplish (using a
Microsoft UPN bind DN) cannot be done.
For this sort of DN rewriting slapd.conf(5) provides 'authid-rewrite' or
'olcAuthIdRewrite' in slapd-config(5).
-Dieter
--
Dieter Klünter | Systemberatung
https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%...
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
This communication is the property of CenturyLink and may contain confidential or
privileged information. Unauthorized use of this communication is strictly prohibited and
may be unlawful. If you have received this communication in error, please immediately
notify the sender by reply e-mail and destroy all copies of the communication and any
attachments.
2:20 p.m.
Michael,
I know this thread is old, but wanted to follow up by asking: would it be possible to
delay the BIND DN syntax check until after rwm manipulations are completed?
Unfortunately, there is a lot of client software that is dependent on this quirk but it
would be very beneficial to be able to use OpenLDAP as a proxy to AD. I suspect that
delaying the syntax check until after rwm manipulations would allow UPN-based
authentication to work.
Thanks,
Steve Vandenburgh
-----Original Message-----
From: Michael Ströder <michael(a)stroeder.com>
Sent: Tuesday, October 29, 2019 4:06 PM
To: Vandenburgh, Steve Y <Steve.Vandenburgh(a)centurylink.com>
Cc: openldap-technical(a)openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay
On 10/29/19 4:55 AM, Vandenburgh, Steve Y wrote:
I'm trying to perform a simple bind operation with a UPN and
password.
This AD-specific quirk is not possible with OpenLDAP.
Ciao, Michael.
This communication is the property of CenturyLink and may contain confidential or
privileged information. Unauthorized use of this communication is strictly prohibited and
may be unlawful. If you have received this communication in error, please immediately
notify the sender by reply e-mail and destroy all copies of the communication and any
attachments.
2:37 p.m.
On 1/13/20 11:20 PM, Vandenburgh, Steve Y wrote:
I know this thread is old, but wanted to follow up by asking: would
it be possible to delay the BIND DN syntax check until after rwm
manipulations are completed?
AFAIK it is not possible.
Note that slapo-rwm operates on syntactically correct DNs.
Ciao, Michael.
-----Original Message-----
From: Michael Ströder <michael(a)stroeder.com>
Sent: Tuesday, October 29, 2019 4:06 PM
To: Vandenburgh, Steve Y <Steve.Vandenburgh(a)centurylink.com>
Cc: openldap-technical(a)openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay
On 10/29/19 4:55 AM, Vandenburgh, Steve Y wrote:
> I'm trying to perform a simple bind operation with a UPN and password.
This AD-specific quirk is not possible with OpenLDAP.
Ciao, Michael.
2:25 a.m.
On Mon, Jan 13, 2020 at 10:20:07PM +0000, Vandenburgh, Steve Y wrote:
Michael,
I know this thread is old, but wanted to follow up by asking: would it
be possible to delay the BIND DN syntax check until after rwm
manipulations are completed? Unfortunately, there is a lot of client
software that is dependent on this quirk but it would be very
beneficial to be able to use OpenLDAP as a proxy to AD. I suspect
that delaying the syntax check until after rwm manipulations would
allow UPN-based authentication to work.
Hi Steve,
DN validation for binds/search bases/... happens way too early in the
frontend for this to be possible. Same reason why you can't write a
slapd module to handle the magic '<GUID=...>' AD DNs.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
1344
days inactive
1427
days old
openldap-technical@openldap.org
9 comments
6 participants
participants (6)
-
Dieter Kluenter -
Dieter Klünter
-
Michael Ströder -
Ondřej Kuzník -
Quanah Gibson-Mount -
Vandenburgh, Steve Y