Hello,
thanks for your answer.
But I don’t have any local users. All users are in two targets: domain01.com and domain99.net (AD). Where I should place userPassword attribute?
My problem:
We have a VoIP realized by Cisco Unified Call Manager (CUCM). There are several thousand users in the customers directory (domain01.com) using CUCM for Voice and ca 100 adminusers in the supplier directory (domain99.net). No trusting, different companies.
Because CUCM can use only one directory to authenticate users I've implemented a OpenLDAP Metadirectory that proxying this 2 Microsft AD targets.
But meta backend tries to authenticate by the first target, if the user was not found, by the second.
Result: Intrusion detection register a lot of unsuccessfully login attempts.
Therefore my question:
Is it possible to implement the controlled proxy with OpenLDAP ?
Can you help me please
Kind regards
Waldemar
################################################################
> Is it possible to implement the controlled proxy with OpenLDAP ?
> E.g., like Radiusproxy based on realm: when username is
Yes, a combination of meta database config in slapd.conf and appropriate SASL config.
In your schema, use the following in userPassword:
userPassword: {SASL}xxx@DOMAIN
where DOMAIN is whichever domain the user needs to be authenticated against.
In slapd.conf:
database meta
suffix dc=local
rootdn cn=administrator,dc=local
rootpw secret
# domain01
uri ldaps://domain01.com:3269/ou=domain01.com,dc=local
lastmod off
suffixmassage "ou=domain01.com=local" "dc=domain01,dc=com"
idassert-bind bindmethod=simple
binddn="cn=binder,dc=domain01,dc=com"
credentials="password"
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=administrator,dc=local"
# domain02
uri ldaps://domain02.com:3269/ou=domain02.com,dc=local
lastmod off
suffixmassage "ou=domain02.com=local" "dc=domain02,dc=com"
idassert-bind bindmethod=simple
binddn="cn=binder,dc=domain02,dc=com"
credentials="password"
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=administrator,dc=local"
In saslauthd.conf you need to create the appropriate search base for authentication based on the domain in the userPassword field:
ldap_servers: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta
ldap_search_base: ou=%d,dc=local
ldap_filter: (sAMAccountName=%U)
ldap_auth_method: bind
ldap_bind_dn: cn=administrator,dc=local
ldap_password: secret
ldap_deref: never
ldap_use_sasl: no
Hopefully this is enough info to get you going.
--
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom