[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP, PADL and querying multiple ADs



Replying to myself... some more infos regarding this setup:

1. If you are trying to specify the "root level" of your Active Directory
forest as the search base in slapd.conf, then you may see that "id" and
"getent passwd" will hang forever. If, while you are performing an LDAP
search ("id username", for example), you will run tcpdump and/or strace
you may see that your slapd is trying to contact a specific number of DCs
in your forest (depending on how many are joined to your AD) one by one,
and this might basically never time out...  I've had to hit CTRL+C after
30 minutes of waiting for output from "getent passwd", as it was still
(re)trying to contact all sorts of DCs (to which my box has no direct
connection and thus failed to connect). To disable that behavior, the
magic switch was "norefs yes" in your "database meta" stanza.

2. "RewriteRule ..." is not necessary. suffixmassage will do just fine.

So, in order to integrate two ADs at the same time and fetching the UNIX
attributes stored in the AD for each user, the following config works.
Note that "getent passwd" and "getent group" will not yield any output (at
least here, probably too many users.), but you may work around that if you
specify all the OU's with UNIX users/groups (= UNIX attributes) manually
in /etc/ldap.conf, e.g.

nss_base_passwd        ou=UNIXusers,dc=grouped,dc=all?sub
nss_base_group        ou=UNIXgroups,dc=grouped,dc=all?sub
nss_base_passwd        ou=MoreUsers,dc=ad2,dc=grouped,dc=all?sub
nss_base_group        ou=MoreGroups,dc=ad2,dc=grouped,dc=all?sub
...etc...

But even if it doesn't work its not that bad as its just cosmetic. "id
username" or "getent passwd username" will always work.

So, anyways, the working config is:

/etc/openldap/slapd.conf:

moduleload back_meta.so

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema

database        meta
norefs          yes
suffix          "dc=ad2,dc=grouped,dc=all"
subordinate
uri             "ldap://ADhost1/dc=ad2,dc=grouped,dc=all  
ldap://ADhostbackup/";
suffixmassage   "dc=ad2,dc=grouped,dc=all" "dc=bla,dc=blubb"
idassert-bind bindmethod=simple
 binddn="CN=\"abc, def\",OU=Accounts,OU=Somewhere,DC=bla,DC=blubb"
 credentials="xxxxxxx"
overlay rwm
rwm-map objectclass posixGroup group
rwm-map objectclass posixAccount organizationalPerson
rwm-map attribute homeDirectory unixHomeDirectory

database        meta
norefs          yes
suffix          "dc=grouped,dc=all"
rootdn          "cn=adminuser,dc=grouped,dc=all"
rootpw          "somepassword"
uri             "ldaps://anotherADhost1/dc=grouped,dc=all      
ldaps://anotherADhostbackup1/      ldaps://anotherADhostbackup2/"
suffixmassage   "dc=grouped,dc=all" "DC=oink,DC=boink"
idassert-bind bindmethod=simple
 binddn="CN=bla.XXX.svc,OU=SpecialAccounts,OU=Huhu,DC=oink,DC=boink"
 credentials="yyyyyyyy"
overlay rwm
rwm-map objectclass posixGroup group
rwm-map objectclass posixAccount organizationalPerson
rwm-map attribute homeDirectory unixHomeDirectory

And then finally your /etc/ldap.conf:

host 127.0.0.1
base dc=grouped,dc=all
binddn cn=adminuser,dc=grouped,dc=all
bindpw somepassword

(Yes, those 4 lines are sufficient. No mapping of the UNIX attributes
necessary, you are already doing that in the rwm overlay of slapd.)

Regards
Markus


> I have found a solution to the problem with the help of the following Blog
> entry that I found via Googling:
>
> http://blog.sejo.be/2010/01/8/openldap-en-3-ad-servers/
>
> This guy is my hero. :-)
>
> Since this example only fetches user information from the ADs, but I also
> need to get group information, I have set up another "database meta"
> stanza for each ou= in AD where group information lies that I need to
> fetch, e.g.:
>
> database        meta
> suffix          "dc=ad4,dc=grouped,dc=all"
> subordinate
> uri             "ldap://x.x.x.x/dc=ad4,dc=grouped,dc=all";
> suffixmassage   "dc=ad4,dc=grouped,dc=all"
> "OU=UNIXgroups,DC=company,DC=com"
> rewriteEngine on
> RewriteRule     "group=(.*)dc=ad4,dc=grouped,dc=all$"
> "%1OU=UNIXgroups,DC=company,DC=com" ":"
>
> I cannot figure out how to get to the groups otherwise. Maybe it would be
> possible to add another line of "uri", "suffixmassage" and "RewriteRule"
> to the e.g. dc=ad3 stanza (see Blog entry), but I haven't tested yet
> because my variant already works. The question is what will happen with
> the performance if I will have to add so many ou='s in the future and add
> another "database meta" stanza for each of them (maybe dozens or
> hundreds).
>
> Anyway... lets go on:
>
> What is not mentioned in the blog example is that we have to add the
> following to get users/groups mapped (and this means getting the whole
> setup to work at all). For database meta stanzas where you fetch users:
>
> overlay rwm
> rwm-map objectclass posixAccount user
> rwm-map attribute homeDirectory unixHomeDirectory
>
> And instead for those database meta stanzas where you fetch groups:
>
> overlay rwm
> rwm-map objectclass posixGroup group
>
> OpenLDAP will complain with the following at startup, though:
>
> line 108: warning, destination objectClass 'group' is not defined in
> schema
> line 134: warning, destination objectClass 'user' is not defined in schema
> line 135: warning, destination attributeType 'unixHomeDirectory' is not
> defined in schema
>
> But we don't care. :-) Without that it just doesn't work. It should be
> noted that the ADs are running on Windows Server 2003 R2 who have the
> rfc2307bis stuff integreated, no SFU (Services for Unix) required anymore.
>
> Then, in /etc/ldap.conf I have the following:
>
> host 127.0.0.1
> base dc=grouped,dc=all
> binddn cn=user,dc=grouped,dc=all
> bindpw cn=userpw
> bind_policy soft
> nss_base_passwd DC=grouped,DC=all?sub
> nss_base_passwd DC=ad2,DC=grouped,DC=all?sub
> nss_base_group DC=ad3,DC=grouped,DC=all?sub
> nss_base_group DC=ad4,DC=grouped,DC=all?sub
>
> Without the ?sub stuff I'm not getting any results (even though, at least
> for groups, I am specifying the exact ou= location of the groups in
> slapd.conf. Weird.).
>
> Then getent passwd and getent group works and I can log in (e.g. via FTP)
> just fine to my local machine using an AD user that has proper UNIX
> attributes stored in any of the two ADs.
>
> That's it. And what I just realized that I'm not using the "subordinate"
> feature how its supposed to work (according to the Blog entry) cause for
> me it doesn't work as described. So that means since I'm specifying the
> _passwd and _group stuff directly in /etc/ldap.conf I could probably also
> use multiple "database ldap" entries instead of "database meta". But then
> the question is how can I log in with a single root DN to my local
> OpenLDAP server, since /etc/ldap.conf allows only to set one, and only one
> search base (which is so 90s in some way).
>
> Regards
> Markus
>
>
>> Thanks for the hint, Jonathan.
>>
>> Is there anyone on this list who would call himself an (Open)LDAP expert
>> and would be available for paid consulting regarding this matter? Please
>> get in touch with me then!
>>
>> Thanks
>> Markus
>>
>>
>>> On 15/06/2010 16:39, Markus wrote:
>>>> Hello list,
>>>>
>>>> I'm on SLES 11 and the mission is to allow Active Directory (AD) users
>>>> to
>>>> log in to Linux. The difficulty is that those users are stored in two
>>>> separate ADs which have no connection to each other. Both ADs are
>>>> running
>>>> on Windows 2003 R2 (or later) and I'm using the LDAP PADL NSS
>>>> (/etc/ldap.conf) implementation to map the UNIX attributes that are
>>>> stored
>>>> in the AD to local values (homedir, shell, UID/GID etc.). So far so
>>>> good,
>>>> everything works fine (getent passwd, PAM logins).
>>>>
>>>> Now, when searching for a solution on how to query two ADs via LDAP at
>>>> the
>>>> same time it seems like OpenLDAP supports multiple LDAP search bases,
>>>> and
>>>> there was also a mentioning of the translucent overlay feature, so I
>>>> suppose using OpenLDAP I could fetch the UNIX attributes from both ADs
>>>> simultaneously.
>>>
>>> Yes, you can use OpenLDAP as a proxy to the two ADs via LDAP. Checkout
>>> the slapd-meta man page (meta is a backend that can take several remote
>>> LDAP proxy databases).
>>>
>>> The translucent overlay would allow you to store extra information on
>>> your OpenLDAP server that's not in the AD directories. It doesn't sound
>>> like this is necessary for you, but I may be wrong.
>>>
>>> Hope this helps,
>>> Jonathan
>>>
>>>
>>>> What completely puzzles me is the NSS/PAM configuration and how PADL
>>>> NSS
>>>> and OpenLDAP interact respectively not interact:
>>>>
>>>> - If I configure OpenLDAP (/etc/openldap/ldap.conf) instead of PADL
>>>> NSS
>>>> (/etc/ldap.conf) how do I configure NSS/PAM for OpenLDAP? I need
>>>> "getent
>>>> passwd" and "getent group" and of course PAM logins to work. E.g.
>>>> getent
>>>> passwd has to give me back all users from BOTH ADs that have UNIX
>>>> attributes stored. But since there seems to be only the PADL NSS
>>>> module
>>>> in
>>>> existance (/lib/libnss_ldap.so.2), I am clueless on how to integrate
>>>> the
>>>> OpenLDAP variant. Shouldn't there be something like
>>>> /lib/libnss_openldap.so and shouldn't I be able to add something like
>>>> "passwd: compat openldap" to /etc/nsswitch.conf? I guess not, but I
>>>> don't
>>>> understand why.
>>>>
>>>> - So that leaves me with the idea of *somehow* fetching the UNIX
>>>> attributes from both ADs via OpenLDAP, set up a local OpenLDAP server
>>>> to
>>>> store this information in, and then using the PADL NSS module to query
>>>> it.
>>>> I'm not sure if this is the right approach or if this is even
>>>> technically
>>>> feasible. Is there maybe a easier way with less overhead (e.g. no
>>>> OpenLDAP
>>>> server required).
>>>>
>>>> Thank you very much for any hints or pointers that you might share
>>>> with
>>>> me! I'm really lost...
>>>>
>>>> Best regards
>>>> Markus
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> --------------------------------------------------------------
>>> Jonathan Clarke - jonathan@phillipoux.net
>>> --------------------------------------------------------------
>>> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>>> --------------------------------------------------------------
>>>
>>
>>
>>
>
>
>