Hello,
Sorry, I tried posting this yesterday but it didn't seem to make it on the list - trying again.
I currently have OpenLDAP (2.4.28) running on a Linux box with a local database and a meta backend which represents the local database along with a remote Active Directory server (2008 R2). Below is a snapshot of my slapd.conf.
#------------------------------------------------------------
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
loglevel -1
modulepath /usr/lib/openldap/
allow bind_v2 database bdb suffix "dc=local,dc=example,dc=com" directory /var/lib/ldap rootdn "cn=root,dc=local,dc=example,dc=com" rootpw secret
database meta suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com" rootpw secret
## Local uri ldap://localhost/ou=Users,dc=local,dc=example,dc=com idassert-bind bindmethod=simple binddn="cn=root,dc=local,dc=example,dc=com" credentials=secret
##Remote Active Directory uri ldap://ad.example.com/cn=Users,dc=example,dc=com idassert-bind bindmethod=simple binddn="cn=sync,cn=users,dc=example,dc=com" credentials=secret # tls_cacert=/etc/openldap/cacerts/ad-ca.cer # tls_cert=/etc/openldap/local.pem # tls_key=/etc/openldap/local.key
#-----------------------------------------------------------
When I run the following command:
ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret -b " dc=example,dc=com " -H ldap://localhost
Everything works as expected with the above config , meaning I see the local and remote/proxied entries on AD with the root credentials specified above. Logs on AD indicate that a user sync preformed a search. As I understand, id-assertion is working??
Now if I change the remote entry to the following (enable ssl):
##Remote Active Directory uri ldaps://ad.example.com/cn=Users,dc=example,dc=com idassert-bind bindmethod=simple binddn="cn=sync,cn=users,dc=example,dc=com" credentials=secret tls_cacert=/etc/openldap/cacerts/ad-ca.cer tls_cert=/etc/openldap/local.pem tls_key=/etc/openldap/local.key
The same command (ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret -b " dc=example,dc=com " -H ldap://localhost) binds locally successfully but does not list any remote attributes from AD.
Verbose logging enabled on Active Directory indicates an anonymous bind and subsequent failure. This is what I'm trying to understand.
However, if I search using an account that resides on the AD server (-D " cn=sync,cn=users,dc=example,dc=com" -w secret) it works and the traffic is encrypted. The root account "seems" to be ignored when it comes to the assertion butonly when ssl is enabled.
Now, if I use TLS instead,
##Remote Active Directory uri ldap://ad.example.com/cn=Users,dc=example,dc=com tls start
idassert-bind bindmethod=simple binddn="cn=sync,cn=users,dc=example,dc=com" credentials=secret tls_cacert=/etc/openldap/cacerts/ad-ca.cer tls_cert=/etc/openldap/local.pem tls_key=/etc/openldap/local.key
Everything works, and I see the remote entries in AD using the meta root credentials. I've verified the network traffic to ensure it was indeed encrypted. I've also verified that using ldapsearch directly (ex: -H ldaps://ad.exmaple.com) to AD and it also functions as intended. I did play around with slapd-ldap and it seemed behave the same as meta regarding ldaps. In my eyes, something in my configuration makes the proxy seemingly ignore ldaps entries. Hopefully I didn't miss anything painfully obvious in the docs :)
Thanks,
openldap-technical@openldap.org
-
Jim Vanes