[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: Controlled LDAP Proxy/Relay

To: <richton@nbcs.rutgers.edu>
Subject: AW: Controlled LDAP Proxy/Relay
From: <W.Siebert@t-systems.com>
Date: Mon, 25 Jun 2012 20:21:09 +0200
Accept-language: de-DE
Acceptlanguage: de-DE
Cc: openldap-technical@openldap.org
Content-language: de-DE
In-reply-to: <alpine.SOC.2.02.1206251018360.17829@toolbox.rutgers.edu>
References: <B5F1B536D314ED4B9B2F92875B447670D2D008D39A@HE111542.emea1.cds.t-internal.com> <alpine.SOC.2.02.1206251018360.17829@toolbox.rutgers.edu>
Thread-index: Ac1S3u9Imt5lfG2VS2eFBb1C+7bBqgAH+FXg
Thread-topic: Controlled LDAP Proxy/Relay

Hello, thank you,

but my application CUCM can use only one directory to authenticate users. I can configure only one dc

Regards
Waldemar

-----Ursprüngliche Nachricht-----
Von: Aaron Richton [mailto:richton@nbcs.rutgers.edu] 
Gesendet: Montag, 25. Juni 2012 16:28
An: Siebert, Waldemar
Cc: openldap-technical@openldap.org
Betreff: Re: Controlled LDAP Proxy/Relay

On Fri, 22 Jun 2012, W.Siebert@t-systems.com wrote:

> Hello,
> thanks for your answer.
> But I don?t have any local users. All users are in two targets: domain01.com and domain99.net (AD). Where I should place userPassword attribute?

So you have dc=microsoft1 running on ad1.example.com and dc=microsoft2 
running on ad2.example.net, with no need for additional data?

Have you considered:

database meta
subordinate
suffix "dc=microsoft1"
uri ldap://ad1.example.com/dc=microsoft1

database meta
subordinate
suffix "dc=microsoft2"
uri ldap://ad2.example.net/dc=microsoft2

database null
suffix	""

and then have your "single baseDN only" client configured to the 
back-null? Only place this gets slightly weird is if you have conflicting 
namespace across the two back-meta's (i.e. if "cn=example,dc=microsoft1" 
and "cn=example,dc=microsoft2" both exist -- check your application 
behavior carefully in such a case).

> My problem:
> We have a VoIP realized by Cisco Unified Call Manager (CUCM). There are several thousand users in the customers directory (domain01.com) using CUCM for Voice and
> ca 100 adminusers in the supplier directory (domain99.net). No trusting, different companies.
> Because CUCM can use only one directory to authenticate users I've implemented a OpenLDAP Metadirectory that proxying this 2 Microsft AD targets.
> But meta backend tries to authenticate by the first target, if the user was not found, by the second.
> Result: Intrusion detection register a lot of unsuccessfully login attempts.
>  
> Therefore my question:
> Is it possible to implement the controlled proxy with OpenLDAP ?
> E.g., like Radiusproxy based on realm: when username is _xxx@domain01.com_ go to the target1, and when username is _xxx@domain99.net_  go to the target2.
> Can you help me please
> Kind regards
> Waldemar
>  
>  
> ################################################################
>  
> On 08/02/2012 09:58, W.Siebert@t-systems.com wrote:
>  
> > Is it possible to implement the controlled proxy with OpenLDAP ?
> > E.g., like Radiusproxy based on realm: when username is
> > _xxx@domain01.com_ <mailto:xxx@domain01.com>  go to the target1, and
> > when username is _xxx@domain99.net_<mailto:xxx@domain99.net>  go to the target2.
>  
> Yes, a combination of meta database config in slapd.conf and appropriate SASL config.
>  
> In your schema, use the following in userPassword:
>  
> userPassword: {SASL}xxx@DOMAIN
>  
> where DOMAIN is whichever domain the user needs to be authenticated against.
>  
> In slapd.conf:
>  
> database     meta
> suffix       dc=local
> rootdn       cn=administrator,dc=local
> rootpw       secret
>  
> # domain01
> uri   ldaps://domain01.com:3269/ou=domain01.com,dc=local
> lastmod     off
> suffixmassage  "ou=domain01.com=local" "dc=domain01,dc=com"
>  
> idassert-bind           bindmethod=simple
>                          binddn="cn=binder,dc=domain01,dc=com"
>                          credentials="password"
>                          flags=non-prescriptive
>  
> idassert-authzFrom      "dn.exact:cn=administrator,dc=local"
>  
> # domain02
> uri   ldaps://domain02.com:3269/ou=domain02.com,dc=local
> lastmod     off
> suffixmassage  "ou=domain02.com=local" "dc=domain02,dc=com"
>  
> idassert-bind           bindmethod=simple
>                          binddn="cn=binder,dc=domain02,dc=com"
>                          credentials="password"
>                          flags=non-prescriptive
>  
> idassert-authzFrom      "dn.exact:cn=administrator,dc=local"
>  
> In saslauthd.conf you need to create the appropriate search base for authentication based on the domain in the userPassword field:
>  
> ldap_servers: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta
> ldap_search_base: ou=%d,dc=local
> ldap_filter: (sAMAccountName=%U)
> ldap_auth_method: bind
>  
> ldap_bind_dn: cn=administrator,dc=local
> ldap_password: secret
>  
> ldap_deref: never
> ldap_use_sasl: no
>  
> Hopefully this is enough info to get you going.
>  
> --
> Liam Gretton                                    liam.gretton@le.ac.uk
> HPC Architect                                 http://www.le.ac.uk/its
> IT Services                                   Tel: +44 (0)116 2522254
> University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
>  
>  
>  
> 
>

Follow-Ups:
- Re: AW: Controlled LDAP Proxy/Relay
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

References:
- Controlled LDAP Proxy/Relay
  - From: <W.Siebert@t-systems.com>
- Re: Controlled LDAP Proxy/Relay
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
Next by Date: Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
Index(es):
- Chronological
- Thread