[Date Prev][Date Next] [Chronological] [Thread] [Top]

SLAPD Proxy and AD backend - Binding by UPN.

To: openldap-technical@openldap.org
Subject: SLAPD Proxy and AD backend - Binding by UPN.
From: "egidiomelissano@libero.it" <egidiomelissano@libero.it>
Date: Sat, 25 Jan 2014 15:32:02 +0100 (CET)

Hello everyone.

First of all, I'm a newbie in OpenLDAP Server administration (but not in 
Active Directory). Said that, this is my goal:

- set up an LDAP Front End-Server to a AD Back-End Server - and, so far, there 
are many infos about this. 

But I wanna do it in an environment where there are many UX services which 
binding to AD Server, and any service of these needs ldap-client configuration, 
with insertion and storing of credential for binding. One of these is Dovecot 
which do ldap-authentication of any user of its by a typical fashion...

	user: ad_username@my.ad
	psw:  ad_username_password

Hence, I wish to avoid spreading of AD-binding-credentials gathering this 
couple of data in just one point of my system: that is, OpenLDAP proxy or SLAPD 
Front-End.

I've already tried to do it. 

First of all, I got an error at installation stage which gave me crazy and 
I've not yet solved: i.e, after copy of DB_CONFIG example file to lib 
directory:

	root@lamp ~# rm -fr /var/lib/ldap/* && rm -fr  /etc/ldap/slapd.d/* && cp 
/usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG

when I run:

	root@lamp ~# slapadd -v -l xdom.ldif+

I get an error like the following:

	52e1597b bdb_db_open: warning - no DB_CONFIG file found in directory 
/var/lib/ldap: (14).

Even though DB_CONFING is there and has right permissions... Anyway, I 
discovered that this issues was not blocking, so I went forward. 

I populate splap.d:

	root@lamp ~# slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/
	52e280b2 bdb_db_open: warning - no DB_CONFIG file found in directory 
/var/lib/ldap: (14).
	Expect poor performance for suffix "dc=xdom,dc=loc".

I gave right permission to directories:

	root@lamp ~# chown -R openldap:openldap /etc/ldap/slapd.d/ && chown -R 
openldap:openldap /var/lib/ldap/

and I started LDAP Service:

	root@lamp ~# service slapd start

At this time, I tested OpenLDAP Proxy Server by 5 combinations of ldap 
request:

1) bypassing OpenLDAP Proxy Server and directly binding AD Server by 
conventional D.N.:

	ldapsearch -H ldap://server.my.ad -D "cn=ad_user,ou=ced,dc=my,dc=ad" -w 
ad_user_password -x -b "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

2) bypassing OpenLDAP Proxy Server and directly binding AD Server by U.P.N 
(User Principal Name):

	ldapsearch -H ldap://server.my.ad -D ad_user@my.ad -w ad_user_password -x -b  
"ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

3) through OpenLDAP Proxy Server without any binding:

	ldapsearch -x -b  "ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

4) through OpenLDAP Proxy Server and binding by conventional D.N.:

	ldapsearch -D "cn=ad_user,ou=ced,dc=my,dc=ad" -w ad_user_password -x -b 
"ou=ced,dc=my,dc=ad" -LLL "(sAMAccountName=*)"

and it works.

5) through OpenLDAP Proxy Server and binding by U.P.N (User Principal Name):

	ldapsearch -D ad_user@my.ad -w ad_user_password -x -b  "ou=ced,dc=my,dc=ad" -
LLL "(sAMAccountName=*)"

and it DOES NOT works.

And it is a very BIG BIG problem for me: I cannot force users to authenticate 
themselves in Dovecot by complicated and unacceptable (because of comma, equal 
and space characters) D.N.!!!!

I tried to face this issue by Rewriting Overlay, just to discover that these 
library rewrite BINDDN only after "dnPrettyNormal()" call (making "rewriting-
method" useless...)

Now, please: help me!!!! What can I do? How can I solve my issue??? And how 
can I avoid DB_CONFING issue?

Regards,
Egidio.


PS: follow my ldap.conf and slapd.conf

## LDAP.CONF ####################################

BASE	dc=xdom,dc=loc
URI	ldap://localhost
TLS_CACERT	/etc/ssl/certs/ca-certificates.crt


## SLAPD.CONF ####################################

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

logfile			/var/log/slapd.log
loglevel        -1

modulepath	/usr/lib/ldap

moduleload		back_bdb
moduleload		back_ldap
moduleload		rwm

tool-threads 1

database	bdb
suffix		"dc=xdom,dc=loc"
checkpoint	1024 15
rootdn		"cn=droot,dc=xdom,dc=loc"
rootpw		{SSHA}Xhy4Gc0k5DU+gfpbpkv+PJWJ92Itp5rJ

Database        	ldap
Suffix          	"dc=ts,dc=dipvvf,dc=it"
Uri             	"ldap://server.my.ad/ ldap://server2.my.ad/";
rebind-as-user		
idassert-bind   	bindmethod=simple
					binddn="cn=email ed. demon,ou=email,ou=virtualization,ou=ced,dc=ts,
dc=dipvvf,dc=it"
					credentials=xxxxxx
					mode=none

idassert-authzFrom 	"*"

overlay rwm
rwm-rewriteEngine on
rwm-rewriteMap ldap samacc "ldap://vfdc1.ts.dipvvf.it/dc=ts,dc=dipvvf,dc=it?dn?
sub?samaccountname="

#"ldap:///dc=ts,dc=dipvvf,dc=it?dn?sub?samaccountname=";
rwm-rewriteContext bindDN
rwm-rewriteRule "^([^,]+)@[^,]+$" "${samacc($1)}" ":@I"

Follow-Ups:
- Re: SLAPD Proxy and AD backend - Binding by UPN.
  - From: Jens Vagelpohl <jens@dataflake.org>

Prev by Date: Re: Antw: problem with accessing secure ldap
Next by Date: LMDB database size
Index(es):
- Chronological
- Thread