LinuxQuestions.org - OpenLDAP and Microsoft Active Directory pass through authentication

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - OpenLDAP and Microsoft Active Directory pass through authentication (https://www.linuxquestions.org/questions/linux-newbie-8/openldap-and-microsoft-active-directory-pass-through-authentication-4175510514/)

OpenLDAP and Microsoft Active Directory pass through authentication

I am trying to setup an OpenLDAP directory that will authenticate users in the directory but pass through the authentication to the other users located in AD. I have tried a lot of different documentation online but I am not sure where I am going wrong.

Once I am done with my configuration I can run this command from my CentOS 6.5 box:

testsaslauthd -u jsnow\@domainname.com -p xxxxxxxxxxxxxxxxxx where jsnow is in my AD and domainname.com is the name of my AD domain.

The result is:
0: OK "Success."

However when I try to use an LDAP client on my Windows 7 machine using the same credentials and connecting to my CentOS 6.5 box I don't authenticate.

What am I doing wrong?

Are you sure the ldap client in the windows machine is sending it's query to the CentOS 6.5 box? What command line or client are you using and what parameters+values are you supplying?

OpenLDAP pass through authentication with Active Directory

Ken,
Thanks for your quick response.

I use JXplorer as the LDAP client. I get error opening connection: LDAP: error code 49 - Invalid Credentials] when I try to connect with a user in the AD domain.

For Host I put in the IP address of the OpenLDAP server on port 389.

The Protocol being used is LDAP v3

The Base DN: dc=onetest,dc=com

Security

Level: User + Password
User DN: cn=John Snow,cn=Users,dc=addomain,dc=com
Password: xxxxxxxxxxxxxxxxxxxxxxxxxx

I tested the connection to the onetest directory first. I used User DN: cn=Manager,dc=onetest,dc=com and this works fine.

Is there something that I am missing?

I am ready to try another directory such as 389 directory or Red Hat Directory Server.

Thanks

Mark

OpenLDAP pass through authentication with Active Directory

Ken,
Does a trust relationship need to be established between the AD domain and the OpenLDAP domain? Or would you recommend synchronizing the accounts in AD with the OpenLDAP directory?

Thanks

Mark

I may be confused at the goal. From what it looks like you are saying you would like request for auth for domain1 which is on centos to be satisfied there, and auth for domain2 which were sent to the centos box to then be forwarded to the ADS and authenticated there.

You may want to look into referrals.

http://www.ietf.org/rfc/rfc2251.txt

https://www.centos.org/docs/5/html/C...Referrals.html

OpenLDAP pass through authentication with Active Directory

Good afternoon,

I tried the commands below from my CentOS 6.5 box....

ldapsearch -x -h localhost -LLL -b dc=onetest,dc=com -D cn=John Snow,cn=users,dc=mydomain,dc=com -W '(cn=nslcd-connect)' cn

where onetest is the OpenLDAP directory and mydomain is my Active Directory. I am still experiencing the same bind issue.

ldap_bind: Invalid credentials (49)

Thanks

Mark

Quote:

Originally Posted by ragga (Post 5200717)

AD is using Kerberos to authenticate, not LDAP. The AD servers HAS an LDAP server, but it also has DNS and Kerberos.

An AD client has to use Kerberos... (and no, I haven't set up a client to use an AD server for authentication myself - others where I worked did that)

OpenLDAP pass through authentication with Active Directory

Here is a copy of my slapd.conf file

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap

## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm

# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=onetest,dc=com" read
by * none

#######################################################################
# database definitions
#######################################################################

database bdb
suffix "dc=onetest,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=onetest,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg

rootpw {SSHA}rWXFsVhJPJyuuz3ZSn5XTrmLMoo/klrX

### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldap://addc.mydomain.com"
suffix "cn=users,dc=mydomain,dc=com"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses

userPassword: {SASL}nslcd-connect@mydomain.com
chase-referrals yes

############# SASL parameters ###############################################
sasl-host localhost
sasl-secprops none

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM

jpollard,

Thanks for your response. Do you see anything wrong with what I typed below?

I tried the commands below from my CentOS 6.5 box....

ldapsearch -x -h localhost -LLL -b dc=onetest,dc=com -D cn=John Snow,cn=users,dc=mydomain,dc=com -W '(cn=nslcd-connect)' cn

where onetest is the OpenLDAP directory and mydomain is my Active Directory. I am still experiencing the same bind issue.

ldap_bind: Invalid credentials (49)

Thanks

Mark