[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd.conf for proxy to AD
Just to elaborate on some of my own points below:
Like a lot of people I guess, I'm having trouble configuring slapd to
work as a proxy server in front of Microsoft's Active Directory. AD in
this case is configured to refuse to allow anonymous searches but I want
to allow anonymous searches on the proxy. Therefore the configuration
I'm hoping for is:
* Anonymous binds to slapd get translated into an authenticated bind to AD.
* Authenticated binds to slapd have their credentials (DN and password)
passed through to AD.
According to man slapd-ldap, which says:
idassert-bind bindmethod=none|simple|sasl [binddn=<simple DN>]
[credentials=<simple password>] [saslmech=<SASL mech>]
[secprops=<properties>] [realm=<realm>] [authcId=<authentication
ID>] [authzId=<authorization ID>] [authz={native|proxyauthz}]
[mode=<mode>] [flags=<flags>] [starttls=no|yes|critical]
[tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>]
[tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand]
[tls_ciphersuite=<ciphers>] [tls_protocol_min=<version>]
[tls_crlcheck=none|peer|all]
Allows to define the parameters of the authentication method
that is internally used by the proxy to authorize connections
that are authenticated by other databases. The identity defined
by this directive, according to the properties associated to the
authentication method, is supposed to have auth access on the
target server to attributes used on the proxy for authentication
and authorization, and to be allowed to authorize the users.
This requires to have proxyAuthz privileges on a wide set of
DNs, e.g. authzTo=dn.subtree:"", and the remote server to have
authz-policy set to to or both. See slapd.conf(5) for details
on these statements and for remarks and drawbacks about their
usage. The supported bindmethods are
So it seems that this is the parameter I want.
none|simple|sasl
where none is the default, i.e. no identity assertion is
performed.
I think I need "simple" here because I want OpenLDAP to do a simple bind (non-SASL) to AD.
...
The supported modes are:
<mode> := {legacy|anonymous|none|self}
If <mode> is not present, and authzId is given, the proxy always
authorizes that identity. <authorization ID> can be
u:<user>
[dn:]<DN>
The former is supposed to be expanded by the remote server
according to the authz rules; see slapd.conf(5) for details. In
the latter case, whether or not the dn: prefix is present, the
string must pass DN validation and normalization.
The default mode is legacy, which implies that the proxy will
either perform a simple bind as the authcDN or a SASL bind as
the authcID and assert the client’s identity when it is not
anonymous. Direct binds are always proxied. The other modes
imply that the proxy will always either perform a simple bind as
the authcDN or a SASL bind as the authcID, unless restricted by
idassert-authzFrom rules (see below), in which case the
operation will fail; eventually, it will assert some other
identity according to <mode>.
It seems to me that I want mode=legacy according to this. I want it to perform a simple bind
as some ID (VALID-BIND-DN below) when the client is anonymous, but assert the client's identity
when it is not anonymous.
I have to say that the language of the manual here is far from clear. It doesn't actually
define what is meant by "authcDN" for example, I'm only assuming that that means the "<simple
DN>" given as the argument to the binddn option of this parameter. Also it could skip the
double negatives.
However it doesn't appear to work. Any ideas?
Here's what I have so far, based on the documentation. I'm using
slapd.conf rather than the new conf.d directory based config, and I'm
currently running openldap 2.4.19:
--
database ldap
chase-referrals no
suffix "MY-AD-SUFFIX-HERE"
uri "ldaps://MY-AD-SERVER-HERE/"
cancel abandon
acl-bind bindmethod=simple binddn="VALID-BIND-DN"
credentials="VALID-PASSWORD"
idassert-bind bindmethod=simple binddn="VALID-BIND-DN
credentials="VALID-PASSWORD" mode=legacy flags=non-prescriptive
idassert-authzFrom "dn.regex:.*"
access to * by * read
--
You can assume I've used valid bind DNs, suffixes, server names and
passwords in the places where I've resorted to capitals above. I've
tested these binds from the command line directly against the AD server
and they all work.
I have tested the above on OpenLDAP 2.3, it works for anonymous binds if
and only if a successful authenticated bind is done first. The same was
reported in this post:
http://www.openldap.org/lists/openldap-technical/200907/msg00043.html
In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all
attempts at anonymous bind seem to fail. A similar problem was reported
while upgrading to 2.3.11 to 2.3.27, here:
http://www.openldap.org/lists/openldap-software/200701/msg00055.html
Am I using the correct configuration directives to achieve what I want,
and if not what should I be using?
Thanx,
--
Del