Peter wrote: > > Am 26.02.19 um 18:18 schrieb N6Ghost: >> >> On 2/26/2019 12:07 AM, Dieter Klünter wrote: >>> Am Mon, 25 Feb 2019 13:34:45 -0800 >>> schrieb N6Ghost <[email protected]>: >>> >>>> hi all, >>>> >>>> I am trying to setup an openldap proxy to AD and i need to use SUSE >>>> Enterprise Linux 12. >>>> >>>> Hostname:/etc/openldap # rpm -qa|grep -i openldap >>>> openldap2-2.4.41-18.43.1.x86_64 >>>> openldap2-client-2.4.41-18.43.1.x86_64 >>>> >>>> what I am trying to do, is proxy an application (with 1000s of users) >>>> from talking directory to AD, to talking to openldap. and then have >>>> openldap talk to AD. >>>> look across the net is a bunch of stuff, but most of it does not >>>> seem to apply, or work. look at the offical doc, says use sasl but >>>> you must have an local entry with a {sasl] tag on the user thats not >>>> really ideal and work make a huge problem. a few of the posts online >>>> just said point to AD via ldap is possible? and this application also >>>> has a group lookup as part of its auth process... eg, only member of >>>> groupX can access.... >>>> >>>> any help in this would be huge. >>>> >>>> >>>> seems, i am mixing up a few different ways of doing this whats the >>>> bets way to do this? >>> I presume you are running slapd with slapd-ldap(5) backend. >>> AD requires non standard attribute types, which openldap does not >>> provide. Include AD schema files into slapd. >>> RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you >>> may include openldap services as kerberos host and service pricipals. >>> >>> -Dieter >> >> where do i get the AD schema that's not in the schema directory. > See Quannah's response >> yea i was working with /etc/sldap.conf, but in openldap 2.4 it seems >> some stuff has changed, > May be you mean the option to put the configuration in the LDAP data > (below cn=config) instead of using slapd.conf. You can still use the > latter though. >> and lots >> of very conflicting information on how to go about getting the proxy >> to AD, lost of posts say you can just have a config in sldap.conf, but >> that not only does not work >> but many of the items in those config dont work, and will not allow >> the service to even start. >> >> then there is the matter, where the official docs say you can pass >> thru, but the accounts needs a local openldap account with {sasl} >> taged. which for a large >> domain with 1000s of users is a pain. > > So there are several possibilites to integrate OL and AD: > > 1.) What you are referring to is a pass through authentication, where > all data are managed in OL except the password, i.e. bind requests > (authentication) is proxied to AD. This is done by including > > {SASL}username@realm in the userpassword attribute. If you have the AD > username in OL already, this can be done with a script quite easily. > > 2.) using only the data in AD and let OL proxy everything. This can be > done via ldap backend or meta backend both in combination with rwm > overlay. Here you need to include the AD schema pointed by Quanah > > 3.) the kerberos based solution mentioned by Dieter > > 4.) you can also have a look at the translucent proxy overlay > > Which solution ios best for you depends on your requirements.
Don't forget slapo-pbind. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
