[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: setting up openldap to proxy to AD on SUSE ENT 12
Am Tue, 26 Feb 2019 09:18:09 -0800
schrieb N6Ghost <n6ghost@gmail.com>:
> On 2/26/2019 12:07 AM, Dieter Klünter wrote:
> > Am Mon, 25 Feb 2019 13:34:45 -0800
> > schrieb N6Ghost <n6ghost@gmail.com>:
> >
> >> hi all,
> >>
> >> I am trying to setup an openldap proxy to AD and i need to use SUSE
> >> Enterprise Linux 12.
> >>
> >> Hostname:/etc/openldap # rpm -qa|grep -i openldap
> >> openldap2-2.4.41-18.43.1.x86_64
> >> openldap2-client-2.4.41-18.43.1.x86_64
> >>
> >> what I am trying to do, is proxy an application (with 1000s of
> >> users) from talking directory to AD, to talking to openldap. and
> >> then have openldap talk to AD.
> >> look across the net is a bunch of stuff, but most of it does not
> >> seem to apply, or work. look at the offical doc, says use sasl but
> >> you must have an local entry with a {sasl] tag on the user thats
> >> not really ideal and work make a huge problem. a few of the posts
> >> online just said point to AD via ldap is possible? and this
> >> application also has a group lookup as part of its auth
> >> process... eg, only member of groupX can access....
> >>
> >> any help in this would be huge.
> >>
> >>
> >> seems, i am mixing up a few different ways of doing this whats the
> >> bets way to do this?
> > I presume you are running slapd with slapd-ldap(5) backend.
> > AD requires non standard attribute types, which openldap does not
> > provide. Include AD schema files into slapd.
> > RFC-4513 requires sasl for strong binds, if your AD is setup as KDC
> > you may include openldap services as kerberos host and service
> > pricipals.
> >
> > -Dieter
>
> where do i get the AD schema that's not in the schema directory. yea
> i was working with /etc/sldap.conf, but in openldap 2.4 it seems some
> stuff has changed, and lots
> of very conflicting information on how to go about getting the proxy
> to AD, lost of posts say you can just have a config in sldap.conf,
> but that not only does not work
> but many of the items in those config dont work, and will not allow
> the service to even start.
There hasn't been changed much since openldap-2.1 with regard to
protocol requirements.
>
> then there is the matter, where the official docs say you can pass
> thru, but the accounts needs a local openldap account with {sasl}
> taged. which for a large
> domain with 1000s of users is a pain.
That's why i did point to Kerberos.
> > and it seems openldap is more of a solutions backend that has a
> bazillion options. and you build out a design and options, configs
> etc based on your needs.
> and you got to hunt down the how and whats supported etc, and you
> have to deal with the distros packaging....
Most of the options you refer to are built-in as default, that is,
only tweak configuration parameters that are required for your setup.
Just as a hint:
ldapsearch -x -H ldap://path/to/AD -b "" -s base "(objectClass=*)" \
namingContexts subschemaSubentry
search for subschemaSubentry attribute type.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E