LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-08-2014, 05:27 PM   #1
ragga
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Rep: Reputation: Disabled
Angry OpenLDAP and Microsoft Active Directory pass through authentication


I am trying to setup an OpenLDAP directory that will authenticate users in the directory but pass through the authentication to the other users located in AD. I have tried a lot of different documentation online but I am not sure where I am going wrong.

Once I am done with my configuration I can run this command from my CentOS 6.5 box:

testsaslauthd -u jsnow\@domainname.com -p xxxxxxxxxxxxxxxxxx where jsnow is in my AD and domainname.com is the name of my AD domain.

The result is:
0: OK "Success."

However when I try to use an LDAP client on my Windows 7 machine using the same credentials and connecting to my CentOS 6.5 box I don't authenticate.

What am I doing wrong?
 
Old 07-08-2014, 05:42 PM   #2
kentyler
Member
 
Registered: Dec 2008
Location: Cleveland Ohio
Distribution: CentOS
Posts: 235

Rep: Reputation: 36
Are you sure the ldap client in the windows machine is sending it's query to the CentOS 6.5 box? What command line or client are you using and what parameters+values are you supplying?
 
Old 07-09-2014, 08:35 AM   #3
ragga
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Angry OpenLDAP pass through authentication with Active Directory

Ken,
Thanks for your quick response.



I use JXplorer as the LDAP client. I get error opening connection: LDAP: error code 49 - Invalid Credentials] when I try to connect with a user in the AD domain.

For Host I put in the IP address of the OpenLDAP server on port 389.

The Protocol being used is LDAP v3

The Base DN: dc=onetest,dc=com

Security

Level: User + Password
User DN: cn=John Snow,cn=Users,dc=addomain,dc=com
Password: xxxxxxxxxxxxxxxxxxxxxxxxxx


I tested the connection to the onetest directory first. I used User DN: cn=Manager,dc=onetest,dc=com and this works fine.

Is there something that I am missing?

I am ready to try another directory such as 389 directory or Red Hat Directory Server.

Thanks

Mark
 
Old 07-09-2014, 08:50 AM   #4
ragga
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Angry OpenLDAP pass through authentication with Active Directory

Ken,
Does a trust relationship need to be established between the AD domain and the OpenLDAP domain? Or would you recommend synchronizing the accounts in AD with the OpenLDAP directory?


Thanks

Mark
 
Old 07-09-2014, 04:24 PM   #5
kentyler
Member
 
Registered: Dec 2008
Location: Cleveland Ohio
Distribution: CentOS
Posts: 235

Rep: Reputation: 36
I may be confused at the goal. From what it looks like you are saying you would like request for auth for domain1 which is on centos to be satisfied there, and auth for domain2 which were sent to the centos box to then be forwarded to the ADS and authenticated there.

You may want to look into referrals.

http://www.ietf.org/rfc/rfc2251.txt

https://www.centos.org/docs/5/html/C...Referrals.html
 
Old 07-10-2014, 03:50 PM   #6
ragga
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Angry OpenLDAP pass through authentication with Active Directory

Good afternoon,

I tried the commands below from my CentOS 6.5 box....

ldapsearch -x -h localhost -LLL -b dc=onetest,dc=com -D cn=John Snow,cn=users,dc=mydomain,dc=com -W '(cn=nslcd-connect)' cn

where onetest is the OpenLDAP directory and mydomain is my Active Directory. I am still experiencing the same bind issue.

ldap_bind: Invalid credentials (49)

Thanks

Mark
 
Old 07-10-2014, 03:58 PM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by ragga View Post
I am trying to setup an OpenLDAP directory that will authenticate users in the directory but pass through the authentication to the other users located in AD. I have tried a lot of different documentation online but I am not sure where I am going wrong.

Once I am done with my configuration I can run this command from my CentOS 6.5 box:

testsaslauthd -u jsnow\@domainname.com -p xxxxxxxxxxxxxxxxxx where jsnow is in my AD and domainname.com is the name of my AD domain.

The result is:
0: OK "Success."

However when I try to use an LDAP client on my Windows 7 machine using the same credentials and connecting to my CentOS 6.5 box I don't authenticate.

What am I doing wrong?
AD is using Kerberos to authenticate, not LDAP. The AD servers HAS an LDAP server, but it also has DNS and Kerberos.

An AD client has to use Kerberos... (and no, I haven't set up a client to use an AD server for authentication myself - others where I worked did that)
 
Old 07-10-2014, 03:59 PM   #8
ragga
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Angry OpenLDAP pass through authentication with Active Directory

Here is a copy of my slapd.conf file

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap

## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm



# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem


# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=onetest,dc=com" read
by * none

#######################################################################
# database definitions
#######################################################################

database bdb
suffix "dc=onetest,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=onetest,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg

rootpw {SSHA}rWXFsVhJPJyuuz3ZSn5XTrmLMoo/klrX

### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldap://addc.mydomain.com"
suffix "cn=users,dc=mydomain,dc=com"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses

userPassword: {SASL}nslcd-connect@mydomain.com
chase-referrals yes

############# SASL parameters ###############################################
sasl-host localhost
sasl-secprops none



# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
 
Old 07-10-2014, 05:18 PM   #9
ragga
LQ Newbie
 
Registered: Jul 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Angry

jpollard,

Thanks for your response. Do you see anything wrong with what I typed below?


I tried the commands below from my CentOS 6.5 box....

ldapsearch -x -h localhost -LLL -b dc=onetest,dc=com -D cn=John Snow,cn=users,dc=mydomain,dc=com -W '(cn=nslcd-connect)' cn

where onetest is the OpenLDAP directory and mydomain is my Active Directory. I am still experiencing the same bind issue.

ldap_bind: Invalid credentials (49)

Thanks

Mark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid authentication against Microsoft's Active Directory trueno_ray Linux - Server 2 12-30-2010 10:11 PM
OpenLDAP and Active Directory custangro Linux - Enterprise 1 01-05-2008 02:55 AM
replacing Openldap for centralized authentication instead of Active directory Narayandutt Linux - Software 1 08-23-2007 12:36 PM
LXer: Apache and Subversion authentication with Microsoft Active Directory LXer Syndicated Linux News 0 06-16-2007 05:46 PM
openldap and active directory akismax Linux - Enterprise 1 07-21-2006 06:50 PM


All times are GMT -5. The time now is 04:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration