1

We have an application that used to authenticate via our Atlassian Crowd instance, but after a major rewrite that authentication source is not available anymore. Now I need a solution to authenticate users from both our Active Directory and an OpenLDAP server, which was previously handled by Crowd.

The most promising option seems to be the OpenLDAP meta backend, and I now have a configuration where I can find users from both directories with ldapsearch, but authentication only works for AD users. I found a couple of questions like this, which were very helpful, but ultimatley didn't work for me.

 Application │ ▼ OpenLDAP (meta) │ │ │ │ OpenLDAP ◄──┘ └─► Active Directory

This is my current configuration:

moduleload back_meta.la moduleload back_ldap.la moduleload rwm include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/msuser.schema database meta suffix "dc=openldap,dc=Example,dc=com" uri "ldap://openldap.example.com/dc=openldap,dc=Example,dc=com" map objectclass user inetOrgPerson map attribute sAMAccountName uid #map attribute unicodePwd userPassword map attribute objectGUID entryUUID map objectclass group groupOfUniqueNames map attribute member uniqueMember protocol-version 3 #rebind-as-user yes idassert-authzFrom "dn.regex:.*" suffix "DC=ad,DC=Example,DC=com" uri "ldap://dc01.ad.example.com/DC=ad,DC=Example,DC=com" rebind-as-user yes chase-referrals no readonly yes protocol-version 3 idassert-bind bindmethod=simple binddn="CN=username,OU=Service-Accounts,DC=ad,DC=Example,DC=com" credentials="PASSWORD" flags=override mode=none norefs yes sizelimit 999 idassert-authzFrom "dn.regex:.*" suffix "dc=Example,dc=com" rootdn "cn=admin,dc=Example,dc=com" rootpw PASSWORD

It seems that the only problem left is the password field. According to the MS documentation both unicodePwd and userPassword exist in AD, yet neither works for the OpenLDAP server (which uses userPassword). I was unable to find out how passwords are hashed in AD, the accounts stored in OpenLDAP are hashed with MD5 or SSHA, depending on the age of the password I guess.

I tried rebind-as-user on and off for the OpenLDAP server, I tried binding with a username instead of anonymous, I have no ideas left.

What is missing to be able to authenticate against both directories?

Improve this question
3
  • The way I have seen this work in the past is to 'adopt" in of the directories as primary, and a synchronization process that periodically syncs the other directories with the primary. Commented Jan 25, 2024 at 9:30
  • Yeah, i thought about that. Problem here is that for the OpenLDAP server the mail address attribute was chosen for the login to prevent collisions with existing usernames in the AD. That makes synchronization somewhat difficult without changing logins for a couple of hundred users (not counting CI/CD configurations). Commented Jan 25, 2024 at 9:36
  • AD userPassword has a switch that enables it to be stored as plain text. I suspect it was for synchronization. I wouldn't use it though.This is an interesting field with interesting products. Microsoft has Identity Manager, but it probably is not that common compared to others like Ping/Sailpoint. If you only need password sync and login, that is probably the simplest scenario. learn.microsoft.com/en-us/microsoft-identity-manager/reference/… Commented Jan 25, 2024 at 10:39

1 Answer 1

Reset to default
0

I finally found a working configuration. After realizing that the only thing not working was the authorization I moved the configuration from a separate LDAP server to the LDAP server that holds the accounts.

I added an additional meta database with a DN above the existing database and added the attribute olcSubordinate: TRUE to the existing database.

dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb.la olcModuleLoad: {1}back_meta.la olcModuleLoad: {2}back_ldap olcModuleLoad: {3}rwm dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=hostname,dc=example,dc=com structuralObjectClass: olcHdbConfig olcSubordinate: TRUE dn: olcDatabase={2}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {2}meta olcSuffix: dc=example,dc=com olcDbOnErr: continue olcDbCancel: abandon olcDbTFSupport: no structuralObjectClass: olcMetaConfig dn: olcMetaSub={0}ad,olcDatabase={2}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {0}ad olcDbURI: ldaps://dc.example.com/DC=ad,DC=example,DC= com olcDbIDAssertAuthzFrom: {0}dn.regex:.* olcDbIDAssertBind: bindmethod=simple binddn="CN=user,OU=service user s,DC=ad,dc=example,dc=com" credentials="XXXXXXXXXXXXXXXXXXXXXXXX XXXXX" flags=override mode=none olcDbMap: {0}objectclass inetOrgPerson user olcDbMap: {1}attribute uid sAMAccountName olcDbMap: {2}attribute entryUUID objectGUID olcDbMap: {3}objectclass groupOfUniqueNames group olcDbMap: {4}attribute uniqueMember member olcDbChaseReferrals: FALSE olcDbNoRefs: TRUE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE structuralObjectClass: olcMetaTargetConfig

Now under dc=example,dc=com I get the OUs ad and hostname, with the latter holding the local accounts and the former showing the entries from AD, with the attributes I need mapped to their corresponding names in OpenLDAP.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.