Home / server / Questions / 1152227
Accepted
Gerald Schneider
Asked: 2024-01-25 14:53:24 +0800 CST

Combining OpenLDAP and Active Directory via OpenLDAP meta backend

  • 772

We have an application that used to authenticate via our Atlassian Crowd instance, but after a major rewrite that authentication source is not available anymore. Now I need a solution to authenticate users from both our Active Directory and an OpenLDAP server, which was previously handled by Crowd.

The most promising option seems to be the OpenLDAP meta backend, and I now have a configuration where I can find users from both directories with ldapsearch, but authentication only works for AD users. I found a couple of questions like this, which were very helpful, but ultimatley didn't work for me.

           Application
               │
               ▼
         OpenLDAP (meta)
             │   │
             │   │
 OpenLDAP ◄──┘   └─►  Active Directory

This is my current configuration:

moduleload back_meta.la
moduleload back_ldap.la
moduleload rwm

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/msuser.schema

database meta

suffix "dc=openldap,dc=Example,dc=com"
uri "ldap://openldap.example.com/dc=openldap,dc=Example,dc=com"
map objectclass user inetOrgPerson
map attribute sAMAccountName uid
#map attribute unicodePwd userPassword
map attribute objectGUID entryUUID
map objectclass group groupOfUniqueNames
map attribute member uniqueMember
protocol-version 3
#rebind-as-user yes
idassert-authzFrom "dn.regex:.*"

suffix "DC=ad,DC=Example,DC=com"
uri "ldap://dc01.ad.example.com/DC=ad,DC=Example,DC=com"
rebind-as-user yes
chase-referrals no
readonly yes
protocol-version 3
idassert-bind
  bindmethod=simple
  binddn="CN=username,OU=Service-Accounts,DC=ad,DC=Example,DC=com"
  credentials="PASSWORD"
  flags=override
  mode=none
norefs yes
sizelimit 999
idassert-authzFrom "dn.regex:.*"

suffix "dc=Example,dc=com"
rootdn "cn=admin,dc=Example,dc=com"
rootpw PASSWORD

It seems that the only problem left is the password field. According to the MS documentation both unicodePwd and userPassword exist in AD, yet neither works for the OpenLDAP server (which uses userPassword). I was unable to find out how passwords are hashed in AD, the accounts stored in OpenLDAP are hashed with MD5 or SSHA, depending on the age of the password I guess.

I tried rebind-as-user on and off for the OpenLDAP server, I tried binding with a username instead of anonymous, I have no ideas left.

What is missing to be able to authenticate against both directories?

active-directory

1 Answers

  1. Best Answer

    I finally found a working configuration. After realizing that the only thing not working was the authorization I moved the configuration from a separate LDAP server to the LDAP server that holds the accounts.

    I added an additional meta database with a DN above the existing database and added the attribute olcSubordinate: TRUE to the existing database.

    dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb.la
olcModuleLoad: {1}back_meta.la
olcModuleLoad: {2}back_ldap
olcModuleLoad: {3}rwm

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=hostname,dc=example,dc=com
structuralObjectClass: olcHdbConfig
olcSubordinate: TRUE

dn: olcDatabase={2}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {2}meta
olcSuffix: dc=example,dc=com
olcDbOnErr: continue
olcDbCancel: abandon
olcDbTFSupport: no
structuralObjectClass: olcMetaConfig

dn: olcMetaSub={0}ad,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {0}ad
olcDbURI: ldaps://dc.example.com/DC=ad,DC=example,DC=
 com
olcDbIDAssertAuthzFrom: {0}dn.regex:.*
olcDbIDAssertBind: bindmethod=simple binddn="CN=user,OU=service user
 s,DC=ad,dc=example,dc=com" credentials="XXXXXXXXXXXXXXXXXXXXXXXX
 XXXXX" flags=override mode=none
olcDbMap: {0}objectclass inetOrgPerson user
olcDbMap: {1}attribute uid sAMAccountName
olcDbMap: {2}attribute entryUUID objectGUID
olcDbMap: {3}objectclass groupOfUniqueNames group
olcDbMap: {4}attribute uniqueMember member
olcDbChaseReferrals: FALSE
olcDbNoRefs: TRUE
olcDbProtocolVersion: 3
olcDbRebindAsUser: TRUE
structuralObjectClass: olcMetaTargetConfig

    Now under dc=example,dc=com I get the OUs ad and hostname, with the latter holding the local accounts and the former showing the entries from AD, with the attributes I need mapped to their corresponding names in OpenLDAP.

    • 0