I'm trying to get a local server to authenticate to its own openldap-server and then proxy to corporate LDAP if user is not found locally.
- Local users work
- Auth to local LDAP server works
- Auth to corporate LDAP does NOT work
- LDAP search to corporate works when using local server (ack!?!)
user = corporate LDAP account
internal ldap = users – internal.com
corporate ldap = people – datacenter.corporate.com
note: anonymous bind is enabled on corporate.
oot@ sssd]# ldapsearch -h 127.0.0.1 -x -b "uid=user,ou=people,dc=datacenter,dc=corporate,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=user,ou=people,dc=datacenter,dc=corporate,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# user, People, datacenter.corporate.com
dn: uid=user,ou=People,dc=datacenter,dc=corporate,dc=com
uid: user
cn:
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax:
shadowWarning:
loginShell: /bin/bash
uidNumber:
gidNumber:
homeDirectory: /home/users/user
gecos: user
shadowLastChange: 16461
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Setup slap.d:
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=internal,dc=com"
checkpoint 1024 15
rootdn "cn=adm,dc=internal,dc=com"
rootpw {SSHA}aaaaa
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
#proxy ldap
database ldap
suffix "ou=People,dc=datacenter,dc=corp,dc=com"
uri "ldap://1.1.1.1:389/"
idassert-bind bindmethod=none
ldap.conf:
URI ldap://127.0.0.1
BASE dc=internal,dc=com
Best Answer
update for anyone that may find this thread; the openldap documentation is extremely lacking for proxy setup. This was found by basically 48 hours of trial and error.
note: I switched back to slapd.conf by adding the following in /etc/sysconfig/ldap SLAPD_OPTIONS="-f /etc/openldap/slapd.conf"
In the slapd file you will find 4 databases; 1. local database for LDAP AUTH (test.com) 2. external database connector for LDAP AUTH (external.local -> corp.com) 3. internal database connector for LDAP AUTH (internal.local -> test.com) 4. meta database that combines the 2 connectors to 1 database
Anonymous binding everywhere; made things easier.
The clients now point at the local LDAP database and can AUTH to either local LDAP or corporate LDAP seamlessly.
slapd.conf