[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf for proxy to AD



>
> Hi,
>
> Like a lot of people I guess, I'm having trouble configuring slapd to work
> as a proxy server in
> front of Microsoft's Active Directory.  AD in this case is configured to
> refuse to allow
> anonymous searches but I want to allow anonymous searches on the proxy.
> Therefore the
> configuration I'm hoping for is:
>
> * Anonymous binds to slapd get translated into an authenticated bind to
> AD.
> * Authenticated binds to slapd have their credentials (DN and password)
> passed through to AD.
>
> Here's what I have so far, based on the documentation.  I'm using
> slapd.conf rather than the
> new conf.d directory based config, and I'm currently running openldap
> 2.4.19:
>
> --
> database        ldap
> chase-referrals no
> suffix          "MY-AD-SUFFIX-HERE"
> uri             "ldaps://MY-AD-SERVER-HERE/"
> cancel          abandon
>
> acl-bind        bindmethod=simple binddn="VALID-BIND-DN"
> credentials="VALID-PASSWORD"
>
> idassert-bind   bindmethod=simple binddn="VALID-BIND-DN
> credentials="VALID-PASSWORD"
> mode=legacy flags=non-prescriptive
>
> idassert-authzFrom "dn.regex:.*"
>
> access to * by * read
> --
>
> You can assume I've used valid bind DNs, suffixes, server names and
> passwords in the places
> where I've resorted to capitals above.  I've tested these binds from the
> command line directly
> against the AD server and they all work.
>
> I have tested the above on OpenLDAP 2.3, it works for anonymous binds if
> and only if a
> successful authenticated bind is done first.  The same was reported in
> this post:
>
> http://www.openldap.org/lists/openldap-technical/200907/msg00043.html
>
> In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all
> attempts at anonymous
> bind seem to fail.  A similar problem was reported while upgrading to
> 2.3.11 to 2.3.27, here:
>
> http://www.openldap.org/lists/openldap-software/200701/msg00055.html
>
> Am I using the correct configuration directives to achieve what I want,
> and if not what should
> I be using?

As far as I recall, what you need is not possible.  You can:

- have authenticated users proxied with their identity asserted, or

- all users, including unauthenticated ones auth'd as a fixed identity

but not both.  Please note that you're asking OpenLDAP's slapd to bridge
the gap between two broken pieces of code: clients that cannot be
configured to bind, and AD that cannot be configured to accept anonymous
requests (AFAIK).  Feel free to suggest an enhancement that allows to
handle this scenario, though.

p.