[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: setting up openldap to proxy to AD on SUSE ENT 12
- To: N6Ghost <n6ghost@gmail.com>, openldap-technical@openldap.org
- Subject: Re: setting up openldap to proxy to AD on SUSE ENT 12
- From: Peter <peter.gietz@daasi.de>
- Date: Tue, 5 Mar 2019 16:17:14 +0100
- Arc-authentication-results: i=1; email.daasi.de; auth=pass smtp.auth=peter.gietz@daasi.de smtp.mailfrom=peter.gietz@daasi.de
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=daasi.de; s=dkim; t=1551799035; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kVBdYir5by/NRH7jtzmGvHYXLG5hbww/op1eZwYHiJY=; b=ssMB+vKhMiSha3tlxR0XAHOheJsJSVJeuo63oPFOR8MBpITIPwBb9AmHvM6A3p2Mbr0ujI jHjmklG7+lfzo10YFNzCBvQT9FP5BMRun8FyYQpSwVc8r5LuFCslAUqUuLQ2mqNrBdtJDX 5mJ1nkyTpxeUGLMUwfbJqe25ZHhL6TaEACdLiNyMG04+mpGGTBAmOsQY+mPVeEWwmr+fSV +ZtIGwrZq5pcGI/ucOUXQ13br8QyFW2EBOIjCw//0yxyGumb8ZSu4ayXg/CHHObtiMoEhf z+PmlniOq9qzSsbzCSFxK+J7g74dbT2Q1YXo7O5udasGHjoFrn0GBFGK4u+pWw==
- Arc-seal: i=1; s=dkim; d=daasi.de; t=1551799035; a=rsa-sha256; cv=none; b=Isc9yEav2it4Rn7lzKoEJknYq5dEuVeaVuWZLmcWCQwcM1/0rc8jSNMd9K8LaOvJ4xCf0p 5/HV2Nrc9mN+CGXadi7jrhjJrj7KfEsZc7r9mTHuRWC3Ad4kzKVb3Vs4VwZ9071Ol6xfdI xwAHY3zutXgia6+krytd0XvMKzHcsy82MMnkoMFM0lpUXjI6pVVa7MO6dF0DL83v1WxXkJ 2VH6HQ9ShNpXoOXOVNcFnFNVaMROBys0QDAGF99Oy4SbAPzo9zY2aOLQnOuflp75zLe6R6 nHPj34BOaqK3s0hSPCiVXZVjUnddGPHikBRiCmK3Opqu4lj4bnoaPTKGAO7CnQ==
- Authentication-results: email.daasi.de; auth=pass smtp.auth=peter.gietz@daasi.de smtp.mailfrom=peter.gietz@daasi.de
- Content-language: de-DE
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daasi.de; s=dkim; t=1551799035; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kVBdYir5by/NRH7jtzmGvHYXLG5hbww/op1eZwYHiJY=; b=Huob3L0SAuwdYEbSuLU8FEAFpig96MXbdc1CBwcMG/CKO+9MK+djoaTJTCU7xf7RB3i4AX NjguqLcOWAriMYsj3EJxMVbVbWEvxEGvA1D7EgbaKHILXCMpFVlBI6vDlVOiuycy4JviUN efl3yjqeFpcLYoE5OomjFqCT+0WqJPXeGdQbEGbhmbrK7TzurTgOvbOvaD/TOhJmqbIxYg pNjVMwYejFBM7X6tb/+iCo8wXlFFT7VRqo1SqHxYNd+sgBCy6byelvE820Pvv8ueSCAvuB m1wpyzRum2vjVJT5lpNfUV0VdDUvl8qSCPkLwBhtIVUDrdyEK4hvjXB0muXUFA==
- In-reply-to: <71a3081f-a6b4-9a65-f3c7-9fb3e22fa0af@gmail.com>
- References: <47a7357d-69cd-2bef-b6c1-62f9820a1ce0@gmail.com> <20190226090732.66ea6332@pink.fritz.box> <71a3081f-a6b4-9a65-f3c7-9fb3e22fa0af@gmail.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
Am 26.02.19 um 18:18 schrieb N6Ghost:
>
> On 2/26/2019 12:07 AM, Dieter Klünter wrote:
>> Am Mon, 25 Feb 2019 13:34:45 -0800
>> schrieb N6Ghost <n6ghost@gmail.com>:
>>
>>> hi all,
>>>
>>> I am trying to setup an openldap proxy to AD and i need to use SUSE
>>> Enterprise Linux 12.
>>>
>>> Hostname:/etc/openldap # rpm -qa|grep -i openldap
>>> openldap2-2.4.41-18.43.1.x86_64
>>> openldap2-client-2.4.41-18.43.1.x86_64
>>>
>>> what I am trying to do, is proxy an application (with 1000s of users)
>>> from talking directory to AD, to talking to openldap. and then have
>>> openldap talk to AD.
>>> look across the net is a bunch of stuff, but most of it does not
>>> seem to apply, or work. look at the offical doc, says use sasl but
>>> you must have an local entry with a {sasl] tag on the user thats not
>>> really ideal and work make a huge problem. a few of the posts online
>>> just said point to AD via ldap is possible? and this application also
>>> has a group lookup as part of its auth process... eg, only member of
>>> groupX can access....
>>>
>>> any help in this would be huge.
>>>
>>>
>>> seems, i am mixing up a few different ways of doing this whats the
>>> bets way to do this?
>> I presume you are running slapd with slapd-ldap(5) backend.
>> AD requires non standard attribute types, which openldap does not
>> provide. Include AD schema files into slapd.
>> RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you
>> may include openldap services as kerberos host and service pricipals.
>>
>> -Dieter
>
> where do i get the AD schema that's not in the schema directory.
See Quannah's response
> yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems
> some stuff has changed,
May be you mean the option to put the configuration in the LDAP data
(below cn=config) instead of using slapd.conf. You can still use the
latter though.
> and lots
> of very conflicting information on how to go about getting the proxy
> to AD, lost of posts say you can just have a config in sldap.conf, but
> that not only does not work
> but many of the items in those config dont work, and will not allow
> the service to even start.
>
> then there is the matter, where the official docs say you can pass
> thru, but the accounts needs a local openldap account with {sasl}
> taged. which for a large
> domain with 1000s of users is a pain.
So there are several possibilites to integrate OL and AD:
1.) What you are referring to is a pass through authentication, where
all data are managed in OL except the password, i.e. bind requests
(authentication) is proxied to AD. This is done by including
{SASL}username@realm in the userpassword attribute. If you have the AD
username in OL already, this can be done with a script quite easily.
2.) using only the data in AD and let OL proxy everything. This can be
done via ldap backend or meta backend both in combination with rwm
overlay. Here you need to include the AD schema pointed by Quanah
3.) the kerberos based solution mentioned by Dieter
4.) you can also have a look at the translucent proxy overlay
Which solution ios best for you depends on your requirements.
Of course yet another solution might be that you introduce a proper
identity management system that provisions AD and OL as target systems...
Hope this helps clarify things.
Cheers,
Peter
>
> and it seems openldap is more of a solutions backend that has a
> bazillion options. and you build out a design and options, configs
> etc based on your needs.
> and you got to hunt down the how and whats supported etc, and you have
> to deal with the distros packaging....
>
>
> -N6Ghost
>
>
>
>
>
>
>
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz@daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________