Centos – Setup a openldap proxy to another LDAP server on centos 6

centosldapopenldapPROXY

I'm trying to get a local server to authenticate to its own openldap-server and then proxy to corporate LDAP if user is not found locally.

  1. Local users work
  2. Auth to local LDAP server works
  3. Auth to corporate LDAP does NOT work
  4. LDAP search to corporate works when using local server (ack!?!)

user = corporate LDAP account
internal ldap = users – internal.com
corporate ldap = people – datacenter.corporate.com

note: anonymous bind is enabled on corporate.

oot@ sssd]# ldapsearch -h 127.0.0.1 -x -b "uid=user,ou=people,dc=datacenter,dc=corporate,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=user,ou=people,dc=datacenter,dc=corporate,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user, People, datacenter.corporate.com
dn: uid=user,ou=People,dc=datacenter,dc=corporate,dc=com
uid: user
cn: 
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 
shadowWarning: 
loginShell: /bin/bash
uidNumber: 
gidNumber: 
homeDirectory: /home/users/user
gecos: user
shadowLastChange: 16461

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Setup slap.d:

#######################################################################
# database definitions
#######################################################################

database bdb
suffix "dc=internal,dc=com"
checkpoint 1024 15
rootdn "cn=adm,dc=internal,dc=com"
rootpw {SSHA}aaaaa
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM

#proxy ldap
database ldap
suffix "ou=People,dc=datacenter,dc=corp,dc=com"
uri "ldap://1.1.1.1:389/"

idassert-bind bindmethod=none

ldap.conf:

URI ldap://127.0.0.1
BASE dc=internal,dc=com

Best Answer

update for anyone that may find this thread; the openldap documentation is extremely lacking for proxy setup. This was found by basically 48 hours of trial and error.

note: I switched back to slapd.conf by adding the following in /etc/sysconfig/ldap SLAPD_OPTIONS="-f /etc/openldap/slapd.conf"

In the slapd file you will find 4 databases; 1. local database for LDAP AUTH (test.com) 2. external database connector for LDAP AUTH (external.local -> corp.com) 3. internal database connector for LDAP AUTH (internal.local -> test.com) 4. meta database that combines the 2 connectors to 1 database

Anonymous binding everywhere; made things easier.

The clients now point at the local LDAP database and can AUTH to either local LDAP or corporate LDAP seamlessly.

slapd.conf

#local database 
database        bdb
suffix  "dc=test,dc=com"
checkpoint      1024 15
rootdn  "cn=adm,dc=test,dc=com"
rootpw  {SSHA}aaa
directory       /var/lib/ldap


#Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

#database meta
database meta
suffix  "dc=local"
rootdn  "cn=adm,dc=local"
rootpw  {SSHA}aaa

#dir1
uri      "ldap://corporate-ldap.com/ou=external,dc=local"
lastmod       off
suffixmassage   "ou=external,dc=local" "dc=datacenter,dc=corp,dc=com"

#dir2
uri      "ldap://127.0.0.1/ou=internal,dc=local"
lastmod       off
suffixmassage   "ou=internal,dc=local" "dc=test,dc=com"
Related Topic