nslcd with domain.com and sub.domain.com

Question

i'm trying to setup our linux server with nslcd within multiple AD Domains, example.com and sub.exmaple.com.

The current setup with nslcd is pretty easy and works for the domain example.com:

uid nslcd gid ldap uri ldaps://dc1.example.com:636 base dc=example,dc=com binddn cn=srv_authuser,ou=server,dc=example,dc=com bindpw ---- tls_reqcert never pagesize 1000 referrals off idle_timelimit 800 filter passwd (&(objectClass=user)(!(objectClass=computer))) map passwd uid sAMAccountName map passwd uidNumber objectSid:S-1-5-21-4129304498-564803152-741489137 map passwd gidNumber gidNumber map passwd loginShell "/bin/bash" map passwd homeDirectory "/home/$sAMAccountName" map passwd gecos displayName)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map group gidNumber objectSid:S-1-5-21-4129304498-564803152-741489137 map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) tls_cacertdir /etc/openldap/cacerts ssl on 

Is it possible with nslcd (pam-nss-ldap) to set up an second ldap query for sub.domain.com or is this only possible via sssd? If the bind user has admin rights on sub.domain.com, could he fetch also passwords/account data?

Thanks

Answer 1

You won't be able to do what you want with just nslcd. Instead you will have to configure a fake LDAP server with the fake domain name served by slapd with slapd-meta or slapd-ldap backend. Then you will add your AD servers to e.g. fakedomain.local. Once it's done you will be able to enroll your client to the fakedomain.local that will have a few domains inside. Then you will be able to list users from two different LDAP servers.

here is a sample of your LDAP proxy configuration:

sudo yum install -y openldap openldap-clients openldap-servers

cat /etc/openldap/slapd.conf

include /etc/openldap/schema/core.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/pmi.schema include /etc/openldap/schema/ppolicy.schema allow bind_v2 allow bind_anon_cred pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap/ moduleload rwm.la moduleload back_ldap.la moduleload back_meta.la loglevel 4095 attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) #Active Directory1 database meta suffix "dc=fakedomain,dc=local" uri "ldap://ipofyourldap1:389/dc=fakedomain,dc=local" readonly yes lastmod off suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real1,dc=domain" idassert-bind bindmethod=simple binddn="CN=userwithadminrights,OU=users,OU=office,DC=real1,DC=domain" credentials="yourplaintextpassword" idassert-authzFrom "*" #Active Directory2 database meta suffix "dc=fakedomain,dc=local" uri "ldap://ipofyourldap2:389/dc=fakedomain,dc=local" readonly yes lastmod off suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real2,dc=domain" idassert-bind bindmethod=simple binddn="CN=userwithadminrights,OU=users,OU=office,DC=real2,DC=domain" credentials="yourplaintextpassword" idassert-authzFrom "*" 

Add the following:

#####################ADD TO /etc/openldap/schema/inetorgperson.schema############ attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) #####################ADD TO /etc/openldap/schema/inetorgperson.schema############ 

sudo rm -r /etc/openldap/slapd.d && sudo mkdir /etc/openldap/slapd.d && sudo chown -R ldap.ldap /etc/openldap/slapd.d

sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

sudo slapd -d 1