OpenLDAP and Microsoft Active Directory pass through authentication
I am trying to setup an OpenLDAP directory that will authenticate users in the directory but pass through the authentication to the other users located in AD. I have tried a lot of different documentation online but I am not sure where I am going wrong.
Once I am done with my configuration I can run this command from my CentOS 6.5 box: testsaslauthd -u jsnow\@domainname.com -p xxxxxxxxxxxxxxxxxx where jsnow is in my AD and domainname.com is the name of my AD domain. The result is: 0: OK "Success." However when I try to use an LDAP client on my Windows 7 machine using the same credentials and connecting to my CentOS 6.5 box I don't authenticate. What am I doing wrong? |
Are you sure the ldap client in the windows machine is sending it's query to the CentOS 6.5 box? What command line or client are you using and what parameters+values are you supplying?
|
OpenLDAP pass through authentication with Active Directory
Ken,
Thanks for your quick response. I use JXplorer as the LDAP client. I get error opening connection: LDAP: error code 49 - Invalid Credentials] when I try to connect with a user in the AD domain. For Host I put in the IP address of the OpenLDAP server on port 389. The Protocol being used is LDAP v3 The Base DN: dc=onetest,dc=com Security Level: User + Password User DN: cn=John Snow,cn=Users,dc=addomain,dc=com Password: xxxxxxxxxxxxxxxxxxxxxxxxxx I tested the connection to the onetest directory first. I used User DN: cn=Manager,dc=onetest,dc=com and this works fine. Is there something that I am missing? I am ready to try another directory such as 389 directory or Red Hat Directory Server. Thanks Mark |
OpenLDAP pass through authentication with Active Directory
Ken,
Does a trust relationship need to be established between the AD domain and the OpenLDAP domain? Or would you recommend synchronizing the accounts in AD with the OpenLDAP directory? Thanks Mark |
I may be confused at the goal. From what it looks like you are saying you would like request for auth for domain1 which is on centos to be satisfied there, and auth for domain2 which were sent to the centos box to then be forwarded to the ADS and authenticated there.
You may want to look into referrals. http://www.ietf.org/rfc/rfc2251.txt https://www.centos.org/docs/5/html/C...Referrals.html |
OpenLDAP pass through authentication with Active Directory
Good afternoon,
I tried the commands below from my CentOS 6.5 box.... ldapsearch -x -h localhost -LLL -b dc=onetest,dc=com -D cn=John Snow,cn=users,dc=mydomain,dc=com -W '(cn=nslcd-connect)' cn where onetest is the OpenLDAP directory and mydomain is my Active Directory. I am still experiencing the same bind issue. ldap_bind: Invalid credentials (49) Thanks Mark |
Quote:
An AD client has to use Kerberos... (and no, I haven't set up a client to use an AD server for authentication myself - others where I worked did that) |
OpenLDAP pass through authentication with Active Directory
Here is a copy of my slapd.conf file
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules # - modulepath is architecture dependent value (32/64-bit system) # - back_sql.la overlay requires openldap-server-sql package # - dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap # modulepath /usr/lib64/openldap ## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload back_ldap moduleload rwm # moduleload accesslog.la # moduleload auditlog.la # moduleload back_sql.la # moduleload chain.la # moduleload collect.la # moduleload constraint.la # moduleload dds.la # moduleload deref.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload memberof.la # moduleload pbind.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload seqmod.la # moduleload smbk5pwd.la # moduleload sssvlv.la # moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by running # /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk # at self-signed certificates, however. #TLSCACertificatePath /etc/openldap/certs #TLSCertificateFile "\"OpenLDAP Server\"" #TLSCertificateKeyFile /etc/openldap/certs/password TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config) database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none # enable server status monitoring (cn=monitor) database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=onetest,dc=com" read by * none ####################################################################### # database definitions ####################################################################### database bdb suffix "dc=onetest,dc=com" checkpoint 1024 15 rootdn "cn=Manager,dc=onetest,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}rWXFsVhJPJyuuz3ZSn5XTrmLMoo/klrX ### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user uri "ldap://addc.mydomain.com" suffix "cn=users,dc=mydomain,dc=com" overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute mail proxyAddresses userPassword: {SASL}nslcd-connect@mydomain.com chase-referrals yes ############# SASL parameters ############################################### sasl-host localhost sasl-secprops none # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM |
jpollard,
Thanks for your response. Do you see anything wrong with what I typed below? I tried the commands below from my CentOS 6.5 box.... ldapsearch -x -h localhost -LLL -b dc=onetest,dc=com -D cn=John Snow,cn=users,dc=mydomain,dc=com -W '(cn=nslcd-connect)' cn where onetest is the OpenLDAP directory and mydomain is my Active Directory. I am still experiencing the same bind issue. ldap_bind: Invalid credentials (49) Thanks Mark |
All times are GMT -5. The time now is 05:58 PM. |