> You probably need to delete the userPassword attribute?
> This is correct.
Finally got it working. Thanks for all the help!
I was able to piece the solution together. As previously mentioned most
guidance out there focused on configuring it with slapd.conf, however in my
case I was trying to use the Bitnami openldap container which does not use a
slapd.conf but instead uses dynamic runtime configuration which complicated
matters. Here's the config that works for pass-through remoteauth
authentication as well as utilizing argon2 password hashing leveraging the
bitnami openldap container for anyone that may find themselves in this
nightmare in the future:
docker-compose.yml:
openldap:
image: bitnami/openldap:latest
container_name: openldap_app
ports:
- '1389:1389'
- '1636:1636'
environment:
- LDAP_ROOT=dc=local-openldap-domain,dc=local
- LDAP_ADMIN_USERNAME=ldap-admin
- LDAP_ADMIN_PASSWORD=ldap_admin_password
- LDAP_USERS=some-ldap-user
- LDAP_PASSWORDS=some_ldap_user_password
- LDAP_EXTRA_SCHEMAS=cosine,inetorgperson,nis,argon2,remoteauth
- BITNAMI_DEBUG=true
- LDAP_LOG_LEVEL=1
networks:
openldap_net_ext:
ipv4_address: 172.16.xxx.xxx
volumes:
- openldap_data:/bitnami/openldap
-
./schema-argon2.ldif:/opt/bitnami/openldap/etc/schema/schema-argon2.ldif
-
./schema-remoteauth.ldif:/opt/bitnami/openldap/etc/schema/schema-remoteauth.
ldif
- ./custom-argon2.ldif:/custom/custom-argon2.ldif
- ./custom-remoteauth.ldif:/custom/custom-remoteauth.ldif
schema-argon2.ldif:
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: argon2.so
schema-remoteauth.ldif:
dn: cn=module{2},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: remoteauth.so
custom-argon2.ldif:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {ARGON2}
custom-remoteauth.ldif:
dn: olcOverlay={6}remoteauth,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRemoteAuthCfg
olcOverlay: {6}remoteauth
olcRemoteAuthDNAttribute: seeAlso
olcRemoteAuthDomainAttribute: associatedDomain
olcRemoteAuthDefaultDomain: ad-domain
olcRemoteAuthMapping: ad-domain dc01.ad-domain.tld
olcRemoteAuthTLS: starttls=no tls_reqcert=never
olcRemoteAuthRetryCount: 3
Once the container is up, add the custom-argon2.ldif and the
custom-remoteauth.ldif files as follows:
docker exec openldap_app ldapadd -H ldapi:/// -Y EXTERNAL -f
/custom/argon2.ldif
docker exec openldap_app ldapadd -H ldapi:/// -Y EXTERNAL -f
/custom/remoteauth.ldif
For a remoteauth user use the following attributes in to create a user in
openldap where seeAlso is the DN of the user in the remote AD domain. I'm
guessing it should work with just the username on the remote domain:
dn: cn=jsmoe,ou=users,dc=local-openldap-domain,dc=local
objectClass: domainRelatedObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
associatedDomain: ad-domain
cn: jsmoe
sn: Smoe
displayName: Joe Smoe
givenName: Joe
mail: [email protected]
seeAlso: cn=Joe Smoe,ou=Users,dc=ad-domain,dc=tld
uid: jsmoe
For a local openldap user, I use the following attributes to create a user
in openldap:
dn: cn=mjane,ou=users,dc=local-openldap-domain,dc=local
objectClass: inetOrgPerson
cn: mjane
sn: Jane
displayName: Mary Jane
givenName: Mary
mail: [email protected]
uid: mjane
userPassword:
{ARGON2}$argon2id$v=19$m=7168,t=5,p=1$NaoI0qbKSpD5Hle+WhfncQ$HIWlTiUf02j8+tq
Oattpu2Z9tKyPGXG0YxyrxhmFDFs
