Ldap – OpenLDAP as proxy to Active Directory does not bind with bindDN from slapd.conf

active-directorycentos7ldapopenldapPROXY

Background info:

CentOS 7 3.10.0-327.18.2.el7.x86_64

This server will be used as a proxy to Active Directory.

Currently it seems as if ldapsearch does not care about /etc/openldap/slapd.conf and will not bind unless I pass the bindDN and password directly using -D and -w.

I did a fresh install of OpenLDAP-servers

Edited slapd.conf with the following:

### Schema includes ###########################################################
include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/inetorgperson.schema
include                 /etc/openldap/schema/misc.schema
include                 /etc/openldap/schema/nis.schema

## Module paths ##############################################################
modulepath              /usr/lib64/openldap/
moduleload              back_ldap
moduleload              rwm

## Support both LDAPv2 and LDAPv3
allow           bind_v2

# Main settings ###############################################################
pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args

### Database definition (Proxy to AD) #########################################
database                ldap
readonly                yes
protocol-version        3
rebind-as-user          yes
uri                     "ldap://10.0.0.90:389"
suffix                  "DC=secretdomain,DC=com"
idassert-bind           bindmethod=simple
                        binddn="CN=MropenLDAP,OU=Administration,DC=secretdomain,DC=com"
                        credentials=topsecretpass
                        mode=none
idassert-authzFrom      "*"
overlay                 rwm
rwm-map                 attribute       uid     sAMAccountName
rwm-map                 attribute       mail    proxyAddresses

### Logging ###################################################################
logfile                 /var/log/slapd/slapd.log
loglevel                1

Ran: slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

Made sure ownership and permissions are correct then restarted slapd.

The following does not work:

ldapsearch -H ldap://10.0.0.90 -x -b "OU=Administration,DC=secretdomain,DC=com" -v -LLL "(samaccountname=someusername)"

ldapsearch -H ldap://10.0.0.90 -x -b "OU=Administration,DC=secretdomain,DC=com" -v -LLL

It gives me this error:

ldap_initialize( ldap://10.0.0.90:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
Operations error (1)
Additional information: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

However, when I pass the bind account DN directly it works . I checked that both of these pieces of information are identical from the /etc/openldap/slapd.conf file:

ldapsearch -H ldap://10.0.0.90 -x -b "OU=Administration,DC=secretdomain,DC=com" -v -LLL -D "CN=MropenLDAP,OU=Administration,DC=secretdomain,DC=com" "(samaccountname=someusername)" -w topsecretpass

Best Answer

ldapsearch doesn't use slapd.conf it uses ldap.conf (or a number of other places as outlined below). Binddn cannot usefully be set in the global ldap.conf file as it's considered a user-only option an thus ignored if found there.

LDAP.CONF(5)

NAME
ldap.conf, .ldaprc - LDAP configuration file/environment variables

SYNOPSIS
/etc/openldap/ldap.conf, ldaprc, .ldaprc, $LDAP

DESCRIPTION
If the environment variable LDAPNOINIT is defined, all defaulting is disabled.

The ldap.conf configuration file is used to set system-wide defaults to be applied when running ldap clients.

Users may create an optional configuration file, ldaprc or .ldaprc, in their home directory which will be used to override the system-wide defaults file. The file ldaprc in the current working directory is also used.

Additional configuration files can be specified using the LDAPCONF and LDAPRC environment variables. LDAPCONF may be set to the path of a configuration file. This path can be absolute or relative to the current working directory. The LDAPRC, if defined, should be the basename of a file in the current working directory or in the user's home directory.

Environmental variables may also be used to augment the file based defaults. The name of the variable is the option name with an added prefix of LDAP. For example, to define BASE via the environment, set the variable LDAPBASE to the desired value.

Some options are user-only. Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF).

Thus the following files and variables are read, in order:
variable $LDAPNOINIT, and if that is not set:
system file /etc/openldap/ldap.conf,
user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc,
system file $LDAPCONF,
user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
variables $LDAP.
Settings late in the list override earlier ones.

BINDDN <dn>
Specifies the default bind DN to use when performing ldap operations. The bind DN must be specified as a Distinguished Name in LDAP format. This is a user-only option.

Related Solutions

OpenLDAP – Configure Reverse Group Membership Maintenance (memberOf)

I've been struggling with the same thing, the openldap documentation is minimalist and hardly helpful at all. When they went over to a config database (not a bad idea in principle) all the options changed so when people are giving example from /etc/ldap/slapd.conf it is useless with a modern slapd config (such as Ubuntu).

I finally got this working. Here's the summary... first LDIF file:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

Second LDIF file:

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Add them into the config database using ldapadd (same as normal config stuff).

It does not automatically update the existing data in the database, so I needed to use slapcat to copy everything out into a temporary file, and visit each group, delete the group and add the same group back in again (forces the memberOf attributes to update correctly). If you are starting with an empty database, then it will correctly update the attributes as objects are added.

Also, note that "olcDatabase={1}hdb" is very typical, but not guaranteed to match your setup. Be sure to check that one.

Ldap – Configuring OpenLDAP as a Active Directory Proxy

You need to add mappings to your slapd.conf file:

moduleload rwm
...
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map objectClass posixGroup group 
rwm-map objectClass posixAccount person
rwm-map objectClass memberUid member

Then you can search for the uid attribute instead of the sAMAccountName attribute in your .htaccess file:

AuthLDAPURL "ldap://breauthsrv01.xxx.de:389/OU=xxx,DC=int,DC=xxx,DC=de?uid?sub"

Best Answer

Related Solutions

OpenLDAP – Configure Reverse Group Membership Maintenance (memberOf)

Ldap – Configuring OpenLDAP as a Active Directory Proxy

Related Topic