Ldap – How to proxy multiple LDAP servers, and still have grouping of users on the proxy

groupsldapPROXY

I have 2 problems that I'm hoping to find a common solution to.

First, I need to find a way to have multiple LDAP servers (Windows AD's across multiple domains) feed into a single source for authentication. This is also needed to get applications that can't natively talk to more than one LDAP server to work. I've read this can be done with Open LDAP. Are there other solutions?

Second, I need to be able to add those users to groups without being able to make any changes to the LDAP servers I'm proxying.

Lastly, this all needs to work on Windows Server 2003/2008.

I work for a very large organization, and to create multiple groups and have large numbers of users added to, moved between, and removed from them is no small task. This normally requires tons of paperwork and a lot of time. Time is the one thing we don't normally have; dodging the paperwork is just a plus.

I have very limited experience in all this, so I'm not even sure what I'm asking will make sense. Atlassian Crowd comes close to what we need, but falls short of having it's own LDAP front end. Can anyone provide any advice or product names?

Thanks for any help you can provide.

Best Answer

I recommend OpenLDAP's meta backend, which acts as a proxy to integrate several naming contexts from several different servers in one single tree. I have successfully used it to do just this on several Windows 2003 domains.

For example, if you have several AD domains named ONE.COMPANY.COM and TWO.COMPANY.COM, you would end up with the following LDAP tree:

dc=company,dc=com

dc=one,dc=company,dc=com

Users and Groups from domain ONE

dc=two,dc=company,dc=com

Users and Groups from domain TWO

Thus, you could base authentication requests on the base DN dc=company,dc=com, which would return entries from either server.

Of course, you must make sure that you have an attribute that can uniquely identify users over all domains, such as an email address (you don't want to use a login name if you have two jdoe users! Unless you're sure logins are unique over all domains).

Check out OpenLDAP's back-meta man page.

Second, I need to be able to add those users to groups without being able to make any changes to the LDAP servers I'm proxying.

You can easily add a local database to the same instance of OpenLDAP, to contain groups that reference users from all proxied domains. They will have unique DNs on this server, just add them to groups and you're done.

Related Solutions

LDAP: entries for services

What objectClass is used for service identities?

Whatever you want, really. In order for Crowd (or anything else) to authenticate, you need a distinguished name somewhere in your tree and it needs to have a userPassword attribute.

If you look at your schema (if you're using OpenLDAP, that's usually /etc/openldap/schema), you can find objectClasses that meet this criteria.

The simplest is probably the person object class, the definition for which looks like this:

objectclass ( 2.5.6.6 NAME 'person'
        DESC 'RFC2256: a person'
        SUP top STRUCTURAL
        MUST ( sn $ cn )
        MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

That says that it requires the sn and cn attributes, and may optionally have a userPassword attribute (as well as a few others). So maybe you would add an entry like this:

dn: cn=crowd,ou=serviceAccounts, o=myOrganization
objectClass: person
cn: crowd
sn: Service Account
description: Service account for Crowd access to LDAP
userPassword: {SSHA}MZO/eoDUg/nFJDAZBvawCRYIxSeQUm3U

This presumes that you have a serviceAccounts OU where you will place this sort of thing, which is probably a good idea (because this clearly separates service accounts from user accounts).

Crowd would authenticate as cn=crowd,ou=serviceAccountrs,o=myOrganization, and you would need to configure your LDAP directory to give this DN the appopriate access permissions.

Ldap – use google aps login to authenticate users in FreeNAS

Google Apps support LDAP sync by using Google Apps Directory Sync and Google Apps Password Sync.

FreeNAS also supports LDAP.

So there you have it. Just use whatever LDAP service you like.

Best Answer

Related Solutions

LDAP: entries for services

Ldap – use google aps login to authenticate users in FreeNAS

Related Topic