OpenLDAP and Microsoft Active Directory pass through authentication
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OpenLDAP and Microsoft Active Directory pass through authentication
I am trying to setup an OpenLDAP directory that will authenticate users in the directory but pass through the authentication to the other users located in AD. I have tried a lot of different documentation online but I am not sure where I am going wrong.
Once I am done with my configuration I can run this command from my CentOS 6.5 box:
testsaslauthd -u jsnow\@domainname.com -p xxxxxxxxxxxxxxxxxx where jsnow is in my AD and domainname.com is the name of my AD domain.
The result is:
0: OK "Success."
However when I try to use an LDAP client on my Windows 7 machine using the same credentials and connecting to my CentOS 6.5 box I don't authenticate.
Are you sure the ldap client in the windows machine is sending it's query to the CentOS 6.5 box? What command line or client are you using and what parameters+values are you supplying?
OpenLDAP pass through authentication with Active Directory
Ken,
Thanks for your quick response.
I use JXplorer as the LDAP client. I get error opening connection: LDAP: error code 49 - Invalid Credentials] when I try to connect with a user in the AD domain.
For Host I put in the IP address of the OpenLDAP server on port 389.
The Protocol being used is LDAP v3
The Base DN: dc=onetest,dc=com
Security
Level: User + Password
User DN: cn=John Snow,cn=Users,dc=addomain,dc=com
Password: xxxxxxxxxxxxxxxxxxxxxxxxxx
I tested the connection to the onetest directory first. I used User DN: cn=Manager,dc=onetest,dc=com and this works fine.
Is there something that I am missing?
I am ready to try another directory such as 389 directory or Red Hat Directory Server.
OpenLDAP pass through authentication with Active Directory
Ken,
Does a trust relationship need to be established between the AD domain and the OpenLDAP domain? Or would you recommend synchronizing the accounts in AD with the OpenLDAP directory?
I may be confused at the goal. From what it looks like you are saying you would like request for auth for domain1 which is on centos to be satisfied there, and auth for domain2 which were sent to the centos box to then be forwarded to the ADS and authenticated there.
I am trying to setup an OpenLDAP directory that will authenticate users in the directory but pass through the authentication to the other users located in AD. I have tried a lot of different documentation online but I am not sure where I am going wrong.
Once I am done with my configuration I can run this command from my CentOS 6.5 box:
testsaslauthd -u jsnow\@domainname.com -p xxxxxxxxxxxxxxxxxx where jsnow is in my AD and domainname.com is the name of my AD domain.
The result is:
0: OK "Success."
However when I try to use an LDAP client on my Windows 7 machine using the same credentials and connecting to my CentOS 6.5 box I don't authenticate.
What am I doing wrong?
AD is using Kerberos to authenticate, not LDAP. The AD servers HAS an LDAP server, but it also has DNS and Kerberos.
An AD client has to use Kerberos... (and no, I haven't set up a client to use an AD server for authentication myself - others where I worked did that)
OpenLDAP pass through authentication with Active Directory
Here is a copy of my slapd.conf file
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=onetest,dc=com" read
by * none
database bdb
suffix "dc=onetest,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=onetest,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}rWXFsVhJPJyuuz3ZSn5XTrmLMoo/klrX
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldap://addc.mydomain.com"
suffix "cn=users,dc=mydomain,dc=com"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.