hi all,
I am trying to setup an openldap proxy to AD and i need to use SUSE Enterprise Linux 12.
Hostname:/etc/openldap # rpm -qa|grep -i openldap openldap2-2.4.41-18.43.1.x86_64 openldap2-client-2.4.41-18.43.1.x86_64
what I am trying to do, is proxy an application (with 1000s of users) from talking directory to AD, to talking to openldap. and then have openldap talk to AD. look across the net is a bunch of stuff, but most of it does not seem to apply, or work. look at the offical doc, says use sasl but you must have an local entry with a {sasl] tag on the user thats not really ideal and work make a huge problem. a few of the posts online just said point to AD via ldap is possible? and this application also has a group lookup as part of its auth process... eg, only member of groupX can access....
any help in this would be huge.
seems, i am mixing up a few different ways of doing this whats the bets way to do this?
Thanks
-N6ghost
Am Mon, 25 Feb 2019 13:34:45 -0800 schrieb N6Ghost n6ghost@gmail.com:
hi all,
I am trying to setup an openldap proxy to AD and i need to use SUSE Enterprise Linux 12.
Hostname:/etc/openldap # rpm -qa|grep -i openldap openldap2-2.4.41-18.43.1.x86_64 openldap2-client-2.4.41-18.43.1.x86_64
what I am trying to do, is proxy an application (with 1000s of users) from talking directory to AD, to talking to openldap. and then have openldap talk to AD. look across the net is a bunch of stuff, but most of it does not seem to apply, or work. look at the offical doc, says use sasl but you must have an local entry with a {sasl] tag on the user thats not really ideal and work make a huge problem. a few of the posts online just said point to AD via ldap is possible? and this application also has a group lookup as part of its auth process... eg, only member of groupX can access....
any help in this would be huge.
seems, i am mixing up a few different ways of doing this whats the bets way to do this?
I presume you are running slapd with slapd-ldap(5) backend. AD requires non standard attribute types, which openldap does not provide. Include AD schema files into slapd. RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you may include openldap services as kerberos host and service pricipals.
-Dieter
On 2/26/2019 12:07 AM, Dieter Klünter wrote:
Am Mon, 25 Feb 2019 13:34:45 -0800 schrieb N6Ghost n6ghost@gmail.com:
hi all,
I am trying to setup an openldap proxy to AD and i need to use SUSE Enterprise Linux 12.
Hostname:/etc/openldap # rpm -qa|grep -i openldap openldap2-2.4.41-18.43.1.x86_64 openldap2-client-2.4.41-18.43.1.x86_64
what I am trying to do, is proxy an application (with 1000s of users) from talking directory to AD, to talking to openldap. and then have openldap talk to AD. look across the net is a bunch of stuff, but most of it does not seem to apply, or work. look at the offical doc, says use sasl but you must have an local entry with a {sasl] tag on the user thats not really ideal and work make a huge problem. a few of the posts online just said point to AD via ldap is possible? and this application also has a group lookup as part of its auth process... eg, only member of groupX can access....
any help in this would be huge.
seems, i am mixing up a few different ways of doing this whats the bets way to do this?
I presume you are running slapd with slapd-ldap(5) backend. AD requires non standard attribute types, which openldap does not provide. Include AD schema files into slapd. RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you may include openldap services as kerberos host and service pricipals.
-Dieter
where do i get the AD schema that's not in the schema directory. yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems some stuff has changed, and lots of very conflicting information on how to go about getting the proxy to AD, lost of posts say you can just have a config in sldap.conf, but that not only does not work but many of the items in those config dont work, and will not allow the service to even start.
then there is the matter, where the official docs say you can pass thru, but the accounts needs a local openldap account with {sasl} taged. which for a large domain with 1000s of users is a pain.
and it seems openldap is more of a solutions backend that has a bazillion options. and you build out a design and options, configs etc based on your needs. and you got to hunt down the how and whats supported etc, and you have to deal with the distros packaging....
-N6Ghost
Am Tue, 26 Feb 2019 09:18:09 -0800 schrieb N6Ghost n6ghost@gmail.com:
On 2/26/2019 12:07 AM, Dieter Klünter wrote:
Am Mon, 25 Feb 2019 13:34:45 -0800 schrieb N6Ghost n6ghost@gmail.com:
hi all,
I am trying to setup an openldap proxy to AD and i need to use SUSE Enterprise Linux 12.
Hostname:/etc/openldap # rpm -qa|grep -i openldap openldap2-2.4.41-18.43.1.x86_64 openldap2-client-2.4.41-18.43.1.x86_64
what I am trying to do, is proxy an application (with 1000s of users) from talking directory to AD, to talking to openldap. and then have openldap talk to AD. look across the net is a bunch of stuff, but most of it does not seem to apply, or work. look at the offical doc, says use sasl but you must have an local entry with a {sasl] tag on the user thats not really ideal and work make a huge problem. a few of the posts online just said point to AD via ldap is possible? and this application also has a group lookup as part of its auth process... eg, only member of groupX can access....
any help in this would be huge.
seems, i am mixing up a few different ways of doing this whats the bets way to do this?
I presume you are running slapd with slapd-ldap(5) backend. AD requires non standard attribute types, which openldap does not provide. Include AD schema files into slapd. RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you may include openldap services as kerberos host and service pricipals.
-Dieter
where do i get the AD schema that's not in the schema directory. yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems some stuff has changed, and lots of very conflicting information on how to go about getting the proxy to AD, lost of posts say you can just have a config in sldap.conf, but that not only does not work but many of the items in those config dont work, and will not allow the service to even start.
There hasn't been changed much since openldap-2.1 with regard to protocol requirements.
then there is the matter, where the official docs say you can pass thru, but the accounts needs a local openldap account with {sasl} taged. which for a large domain with 1000s of users is a pain.
That's why i did point to Kerberos.
and it seems openldap is more of a solutions backend that has a
bazillion options. and you build out a design and options, configs etc based on your needs. and you got to hunt down the how and whats supported etc, and you have to deal with the distros packaging....
Most of the options you refer to are built-in as default, that is, only tweak configuration parameters that are required for your setup.
Just as a hint: ldapsearch -x -H ldap://path/to/AD -b "" -s base "(objectClass=*)" \ namingContexts subschemaSubentry
search for subschemaSubentry attribute type.
-Dieter
--On Tuesday, February 26, 2019 9:18 AM -0800 N6Ghost n6ghost@gmail.com wrote:
where do i get the AD schema that's not in the schema directory.
It will be with OpenLDAP 2.5 when that gets released. You can currently obtain it from here:
LDIF format: https://raw.githubusercontent.com/openldap/openldap/master/servers/slapd/schema/msuser.ldif
Deprecated Schema Format: https://raw.githubusercontent.com/openldap/openldap/master/servers/slapd/schema/msuser.schema
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Tuesday, February 26, 2019 9:18 AM -0800 N6Ghost n6ghost@gmail.com wrote:
where do i get the AD schema that's not in the schema directory.
It will be with OpenLDAP 2.5 when that gets released. You can currently obtain it from here:
LDIF format: https://raw.githubusercontent.com/openldap/openldap/master/servers/slapd/schema/msuser.ldif
Deprecated Schema Format: https://raw.githubusercontent.com/openldap/openldap/master/servers/slapd/schema/msuser.schema
Quoting from above files:
# Only the subset of Windows 2012 attributes needed to make the # user and group objectclasses work has been added to the previously # retrieved definitions.
This is not a complete Microsoft schema, nor was it ever intended to be complete.
Am 26.02.19 um 18:18 schrieb N6Ghost:
On 2/26/2019 12:07 AM, Dieter Klünter wrote:
Am Mon, 25 Feb 2019 13:34:45 -0800 schrieb N6Ghost n6ghost@gmail.com:
hi all,
I am trying to setup an openldap proxy to AD and i need to use SUSE Enterprise Linux 12.
Hostname:/etc/openldap # rpm -qa|grep -i openldap openldap2-2.4.41-18.43.1.x86_64 openldap2-client-2.4.41-18.43.1.x86_64
what I am trying to do, is proxy an application (with 1000s of users) from talking directory to AD, to talking to openldap. and then have openldap talk to AD. look across the net is a bunch of stuff, but most of it does not seem to apply, or work. look at the offical doc, says use sasl but you must have an local entry with a {sasl] tag on the user thats not really ideal and work make a huge problem. a few of the posts online just said point to AD via ldap is possible? and this application also has a group lookup as part of its auth process... eg, only member of groupX can access....
any help in this would be huge.
seems, i am mixing up a few different ways of doing this whats the bets way to do this?
I presume you are running slapd with slapd-ldap(5) backend. AD requires non standard attribute types, which openldap does not provide. Include AD schema files into slapd. RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you may include openldap services as kerberos host and service pricipals.
-Dieter
where do i get the AD schema that's not in the schema directory.
See Quannah's response
yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems some stuff has changed,
May be you mean the option to put the configuration in the LDAP data (below cn=config) instead of using slapd.conf. You can still use the latter though.
and lots of very conflicting information on how to go about getting the proxy to AD, lost of posts say you can just have a config in sldap.conf, but that not only does not work but many of the items in those config dont work, and will not allow the service to even start.
then there is the matter, where the official docs say you can pass thru, but the accounts needs a local openldap account with {sasl} taged. which for a large domain with 1000s of users is a pain.
So there are several possibilites to integrate OL and AD:
1.) What you are referring to is a pass through authentication, where all data are managed in OL except the password, i.e. bind requests (authentication) is proxied to AD. This is done by including
{SASL}username@realm in the userpassword attribute. If you have the AD username in OL already, this can be done with a script quite easily.
2.) using only the data in AD and let OL proxy everything. This can be done via ldap backend or meta backend both in combination with rwm overlay. Here you need to include the AD schema pointed by Quanah
3.) the kerberos based solution mentioned by Dieter
4.) you can also have a look at the translucent proxy overlay
Which solution ios best for you depends on your requirements.
Of course yet another solution might be that you introduce a proper identity management system that provisions AD and OL as target systems...
Hope this helps clarify things.
Cheers,
Peter
and it seems openldap is more of a solutions backend that has a bazillion options. and you build out a design and options, configs etc based on your needs. and you got to hunt down the how and whats supported etc, and you have to deal with the distros packaging....
-N6Ghost
Peter wrote:
Am 26.02.19 um 18:18 schrieb N6Ghost:
On 2/26/2019 12:07 AM, Dieter Klünter wrote:
Am Mon, 25 Feb 2019 13:34:45 -0800 schrieb N6Ghost n6ghost@gmail.com:
hi all,
I am trying to setup an openldap proxy to AD and i need to use SUSE Enterprise Linux 12.
Hostname:/etc/openldap # rpm -qa|grep -i openldap openldap2-2.4.41-18.43.1.x86_64 openldap2-client-2.4.41-18.43.1.x86_64
what I am trying to do, is proxy an application (with 1000s of users) from talking directory to AD, to talking to openldap. and then have openldap talk to AD. look across the net is a bunch of stuff, but most of it does not seem to apply, or work. look at the offical doc, says use sasl but you must have an local entry with a {sasl] tag on the user thats not really ideal and work make a huge problem. a few of the posts online just said point to AD via ldap is possible? and this application also has a group lookup as part of its auth process... eg, only member of groupX can access....
any help in this would be huge.
seems, i am mixing up a few different ways of doing this whats the bets way to do this?
I presume you are running slapd with slapd-ldap(5) backend. AD requires non standard attribute types, which openldap does not provide. Include AD schema files into slapd. RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you may include openldap services as kerberos host and service pricipals.
-Dieter
where do i get the AD schema that's not in the schema directory.
See Quannah's response
yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems some stuff has changed,
May be you mean the option to put the configuration in the LDAP data (below cn=config) instead of using slapd.conf. You can still use the latter though.
and lots of very conflicting information on how to go about getting the proxy to AD, lost of posts say you can just have a config in sldap.conf, but that not only does not work but many of the items in those config dont work, and will not allow the service to even start.
then there is the matter, where the official docs say you can pass thru, but the accounts needs a local openldap account with {sasl} taged. which for a large domain with 1000s of users is a pain.
So there are several possibilites to integrate OL and AD:
1.) What you are referring to is a pass through authentication, where all data are managed in OL except the password, i.e. bind requests (authentication) is proxied to AD. This is done by including
{SASL}username@realm in the userpassword attribute. If you have the AD username in OL already, this can be done with a script quite easily.
2.) using only the data in AD and let OL proxy everything. This can be done via ldap backend or meta backend both in combination with rwm overlay. Here you need to include the AD schema pointed by Quanah
3.) the kerberos based solution mentioned by Dieter
4.) you can also have a look at the translucent proxy overlay
Which solution ios best for you depends on your requirements.
Don't forget slapo-pbind.
openldap-technical@openldap.org
-
Dieter Klünter -
Howard Chu -
N6Ghost -
Peter -
Quanah Gibson-Mount