5

I am trying to use the openldap meta back end to accomplish the following in a single query:

  1. query the local openldap database for the account. (I control this resource and only a few accounts will be stored here.)

  2. if the account is not found locally, then next query active directory (where I have no ability to create accounts)

The user will only be found in one or the other, but not both.

I have tried to follow numerous tutorials to accomplish this, but none have matched my exact scenario and I have been unable to tweak any of them into working order.

For testing I have created a simple LDIF backend to allow anonymous binds:

 database ldif suffix "ou=local,dc=proxy,dc=ldap" directory "/var/lib/ldap/"

My meta is configured as follows:

 database meta suffix "dc=example,dc=com" uri "ldaps://ad.my.edu/ou=org-1,dc=example,dc=com" suffixmassage "dc=org-1,dc=example,dc=com" "ou=axxxx,dc=sxxxx,dc=xxx,dc=xx,dc=xxx" idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="cn=XXXX,ou=it,ou=services,ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" credentials="XXXX" mode=none overlay rwm rwm-map attribute uid sAMAccountName rwm-map objectClass posixAccount person uri "ldap://127.0.0.1/ou=org-2,dc=example,dc=com" suffixmassage "ou=org-2,dc=example,dc=com" "ou=local,dc=proxy,dc=ldap"

Here is the result of my search fromthe command line:

 ldapsearch -x -H 'ldap://127.0.0.1' -b dc=example,dc=com -s sub '(sAMAccountNAme=xxxxxx*)' -LLL slapd[1949]: conn=1014 op=2 UNBIND slapd[1949]: conn=1014 fd=9 closed slapd[1949]: conn=1015 fd=9 ACCEPT from IP=127.0.0.1:59624 (IP=127.0.0.1:389) slapd[1949]: conn=1015 op=0 BIND dn="" method=128 slapd[1949]: conn=1015 op=0 RESULT tag=97 err=0 text= slapd[1949]: conn=1015 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(?sAMAccountName=xxxxxxxx*)" slapd[1949]: conn=1015 op=1 meta_search_dobind_init[0]: retrying URI="ldaps://ad.my.edu" DN="cn=xxxx,ou=it,ou=services,ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" slapd[1949]: conn=1002 op=9 SRCH base="ou=local,dc=proxy,dc=ldap" scope=2 deref=0 filter="(?sAMAccountName=xxxxxxx*)" slapd[1949]: conn=1002 op=9 SEARCH RESULT tag=101 err=32 nentries=0 text= slapd[1949]: conn=1015 op=1 meta_back_search[1] match="" err=32 (No such object) text="". slapd[1949]: conn=1015 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= ldapsearch[2054]: DIGEST-MD5 common mech free slapd[1949]: conn=1015 op=2 UNBIND slapd[1949]: conn=1015 fd=9 closed

I have made some progress. I can now retrieve the user information from Active Directory if it is not found locally, but can't then rebind-as-user to finish authentication.

I receive a "Proxy operation retry failed" error:

 slapd[22555]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:35848 (IP=127.0.0.1:389) slapd[22555]: conn=1001 fd=9 ACCEPT from IP=127.0.0.1:35850 (IP=127.0.0.1:389) slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" method=128 slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0 slapd[22555]: conn=1000 op=0 RESULT tag=97 err=0 text= slapd[22555]: conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=xxxxxx)" slapd[22555]: conn=1002 fd=11 ACCEPT from IP=127.0.0.1:35852 (IP=127.0.0.1:389) slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" method=128 slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0 slapd[22555]: conn=1002 op=0 RESULT tag=97 err=0 text= slapd[22555]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:35854 (IP=127.0.0.1:389) slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" method=128 slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0 slapd[22555]: conn=1003 op=0 RESULT tag=97 err=0 text= slapd[22555]: conn=1002 op=1 SRCH base="ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" scope=2 deref=0 filter="(uid=xxxxxx)" slapd[22555]: conn=1003 op=1 SRCH base="ou=local" scope=2 deref=0 filter="(uid=xxxxxx)" slapd[22555]: conn=1003 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= slapd[22555]: conn=1000 op=1 meta_back_search[1] match="" err=32 (No such object) text="". slapd[22555]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[22555]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[22555]: conn=1001 op=0 BIND dn="cn=xxxxxx,ou=xxxx,dc=a,dc=example,dc=com" method=128 slapd[22555]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:35858 (IP=127.0.0.1:389) slapd[22555]: conn=1004 op=0 BIND dn="cn=xxxxxx,ou=General,ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" method=128 slapd[22555]: conn=1004 op=0 ldap_back_retry: retrying URI="ldaps://active.directory" DN="" slapd[22555]: conn=1004 op=0 RESULT tag=97 err=52 text=Proxy operation retry failed slapd[22555]: conn=1004 op=1 UNBIND slapd[22555]: conn=1001 op=0 RESULT tag=97 err=52 text= slapd[22555]: conn=1004 fd=16 closed

Here is my revised meta configuration:

 database meta suffix dc=example,dc=com # The last rwm-map line maps all other attributes to nothing. overlay rwm rwm-map attribute uid sAMAccountname rwm-map attribute * #rwm-map objectclass posixGroup group #rwm-map objectclass posixAccount person #rwm-map objectclass memberUid member ## uri "ldap://127.0.0.1/dc=a,dc=example,dc=com" suffixmassage "dc=a,dc=example,dc=com" "ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" rebind-as-user true idassert-bind bindmethod=simple binddn="cn=XXXX,ou=local" credentials=XXXX mode=none idassert-authzFrom "dn.regex:.*" ## uri "ldap://127.0.0.1/dc=b,dc=example,dc=com" suffixmassage "dc=b,dc=example,dc=com" "ou=local" rebind-as-user true idassert-bind bindmethod=simple binddn="cn=XXXX,ou=local" credentials=XXXX mode=none idassert-authzFrom "dn.regex:.*" ## database ldap uri ldaps://active.directory suffix ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx rebind-as-user true idassert-bind bindmethod=simple binddn="cn=XXXX,ou=xxxx,ou=sxxxx,ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" credentials=XXXX tls_reqcert=allow tls_cacert=/etc/letsencrypt/live/xxxx/fullchain.pem tls_cert=/etc/letsencrypt/live/xxxx/cert.pem tls_key=/etc/letsencrypt/live/xxxx/privkey.pem mode=none idassert-authzFrom "dn.regex:.*"
Improve this question
1
  • The base backend is the same on your "revised configuration"? Could you post your second "ldapsearch" command please? Commented Jul 6, 2018 at 21:58

2 Answers 2

Reset to default
3

I have searched for this solution for about a month and finally stumbled across the answer in the slapd man page after seeing an example config in a openldap thread in-directly related to my problem.

The key to my solution is the idassert-bind flags section for the ldap backend. I added

flags=override

From the slapd man page:

Flags can be

override,[non-]prescriptive,proxy-authz-[non-]critical

When the override flag is used, identity assertion takes place even when the database is authorizing for the identity of the client, i.e. after binding with the provided identity, and thus authenticating it, the proxy performs the identity assertion using the configured dentity and authentication method.

Final working Backend LDAP configuration:

database meta suffix dc=example,dc=com ## uri "ldaps://127.0.0.1/dc=a,dc=example,dc=com" suffixmassage "dc=a,dc=example,dc=com" "ou=local" rebind-as-user yes idassert-bind bindmethod=simple binddn="cn=admin,ou=local" credentials=XXXXXXXX starttls=yes tls_reqcert=allow tls_cacert=/etc/letsencrypt/live/my.site.com/fullchain.pem tls_cert=/etc/letsencrypt/live/my.site.com/cert.pem tls_key=/etc/letsencrypt/live/my.site.com/privkey.pem mode=none idassert-authzFrom "dn.regex:.*" ## uri "ldaps://127.0.0.1/dc=b,dc=example,dc=com" suffixmassage "dc=b,dc=example,dc=com" "ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" rebind-as-user yes idassert-bind bindmethod=simple binddn="cn=admin,ou=local" credentials=XXXXXXXX starttls=yes tls_reqcert=allow tls_cacert=/etc/letsencrypt/live/my.site.com/fullchain.pem tls_cert=/etc/letsencrypt/live/my.site.com/cert.pem tls_key=/etc/letsencrypt/live/my.site.com/privkey.pem mode=none mode=none idassert-authzFrom "dn.regex:.*" ## database ldap uri ldaps://ldaps.my.site.com/ suffix "OU=AXXXX,DC=sxxxx,DC=nxx,DC=xx,DC=xxx" rebind-as-user yes chase-referrals yes readonly yes idassert-bind bindmethod=simple binddn="CN=IXXXX,OU=IX,OU=SXXXX,OU=AXXXX,DC=sxxxx,DC=nxx,DC=xx,DC=xxx" credentials=XXXXXXXX flags=override mode=none idassert-authzFrom "dn.regex:.*" # The last rwm-map line maps all other attributes to nothing. overlay rwm rwm-map attribute uid sAMAccountname rwm-map attribute cn cn rwm-map attribute sn sn rwm-map attribute givenName givenName rwm-map attribute employeeID employeeID rwm-map attribute employeeNumber employeeNumber rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute mail mail rwm-map attribute departmentNumber departmentNumber rwm-map attribute department department rwm-map attribute home extensionAttribute12 rwm-map attribute *
Improve this answer
4
  • At the end the configuration was: flags=prescriptive,proxy-authz-non-critical,override? Did you put the override option in all the idassert-bind present in your config file? Commented Jul 12, 2018 at 13:22
  • It would be greatly appreciated if you could show your final configuration. Commented Jul 12, 2018 at 13:30
  • Thank you for adding your final configuration. It really helped me. One new question: How do you send the remote (database ldap) credentials to be validated? Commented Jul 18, 2018 at 2:20
  • In case anybody is in the same place as I am. What you have to do to authenticate is first search for the real DN of the user using suffix dc=example,dc=com. Then make the bind directly to that DN. Commented Jul 19, 2018 at 19:08
1

To make the ssl proxy connection with any backend server either Active directory or other ldap directories, the openldap servers should be compiled with SSL/TLS.

To check your ldap server whether it is compiled with ssl/TLS or not run the below command

# ldd /usr/local/openldap/libexec/slapd | grep ssl libssl.so.10 => /lib64/libssl.so.10 (0x00007f561c08d000)

It should return libssl then only it will make ssl connection with the backend ldap server. If your server is not giving the above output then compile the openldap package again and try.

For compilation first install the rpm - openldap-devel

# yum install openldap-devel libtool-ltdl-devel gcc -y

then compile the openldap with below option - --with-tls=openssl

./configure --enable-bdb --enable-meta --enable-overlays --enable-ldap --prefix=/usr/local/openldap --with-tls=openssl

I have used the below options to install the openldap-server from source code,

# export CPPFLAGS="-I/usr/local/openldap/berkeleydb/include" # export LDFLAGS="-L/usr/local/openldap/berkeleydb/lib -L/lib64 -Wl,-R,/usr/local/openldap/berkeleydb/lib -Wl,--enable-new-dtags" # CFLAGS="-I/usr/local/openldap/berkeleydb/include/ -I/usr/local/include -I/usr/include" # export CFLAGS #export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/local/openldap/berkeleydb/lib:/lib64/" # ../dist/configure --prefix=/usr/local/openldap/berkeleydb # make # make install # ./configure --enable-bdb --enable-meta --enable-overlays --enable-ldap --prefix=/usr/local/openldap --with-tls=openssl # make depend # make # make install

Also add a line TLS_REQCERT never in file ldap.conf.

echo "TLS_REQCERT never" >> /usr/local/openldap/etc/openldap/ldap.conf

Then configure your slapd.conf file.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.