Re: Question about OpenLDAP and rwm overlay

2019-10-26 Thread Quanah Gibson-Mount 




--On Saturday, October 26, 2019 9:27 PM +0200 Dieter Klünter 
 wrote:



[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.


The MSUser schema in OpenLDAP master may be useful for this.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Question about OpenLDAP and rwm overlay

2019-10-26 Thread Dieter Klünter 
Am Sat, 26 Oct 2019 00:28:36 +
schrieb "Vandenburgh, Steve Y" :

> I'm attempting to use OpenLDAP as a proxy to an Active Directory
> domain.  Using the ldap backend, I'm able to configure the proxy and
> that configuration seems to be working well.   But account entries
> are frequently moved from ou to ou in a domain and Microsoft permits
> the bind DN to be a userPrincipalName attribute value of the entry
> instead of the full DN of the account; this features avoids having to
> make many bind DN application configuration changes.
> 
> With just the ldap backend configured, OpenLDAP rejects the
> userPrincipalName (UPN) bind DN as an invalid DN.  To work around
> this error, I was trying to see if I could use the rwm overlay to
> detect the UPN  and convert to the actual domain entry DN using an
> attribute map.  If I use the form
> 
> mail=UPN
> 
> the map works as expected; however, if I only provide the UPN as the
> bind DN, OpenLDAP still rejects it as an invalid DN.   I suspect that
> the rwm overlay manipulations to not take effect until after the bind
> DN syntax is checked.  I wanted to confirm my suspicion and see if
> any one else has been able to get a UPN-based bind to work through
> OpenLDAP.
> 
> For reference my slapd.conf configuration is below:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Question about OpenLDAP and rwm overlay

2019-10-26 Thread Vandenburgh, Steve Y 
I'm attempting to use OpenLDAP as a proxy to an Active Directory domain.  Using 
the ldap backend, I'm able to configure the proxy and that configuration seems 
to be working well.   But account entries are frequently moved from ou to ou in 
a domain and Microsoft permits the bind DN to be a userPrincipalName attribute 
value of the entry instead of the full DN of the account; this features avoids 
having to make many bind DN application configuration changes.

With just the ldap backend configured, OpenLDAP rejects the userPrincipalName 
(UPN) bind DN as an invalid DN.  To work around this error, I was trying to see 
if I could use the rwm overlay to detect the UPN  and convert to the actual 
domain entry DN using an attribute map.  If I use the form

mail=UPN

the map works as expected; however, if I only provide the UPN as the bind DN, 
OpenLDAP still rejects it as an invalid DN.   I suspect that the rwm overlay 
manipulations to not take effect until after the bind DN syntax is checked.  I 
wanted to confirm my suspicion and see if any one else has been able to get a 
UPN-based bind to work through OpenLDAP.

For reference my slapd.conf configuration is below:

### Schema includes ###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema

## Module paths ##
modulepath  /usr/lib64/openldap/
moduleload  rwm

# Main settings ###
loglevel8
sizelimit   unlimited
idletimeout 600
writetimeout30
allow   bind_v2
pidfile /var/openldap/mycompany/var/slapd.pid
argsfile/var/openldap/mycompany/var/slapd.args
logfile /var/openldap/mycompany/logs/access

TLSCertificateFile   /var/openldap/mycompany/certs/Server.pem
TLSCertificateKeyFile/var/openldap/mycompany/certs/Server.key
TLSCACertificateFile/var/openldap/mycompany/certs/ServerCA.pem

### Rewrite rules #

# Bind with UPN instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# argument used when invoking the map is appended to
# the URI and acts as the filter portion)

overlay rwm
rwm-suffixMassage   "" "dc=mycompany,dc=com"
rwm-rewriteMap ldap attr2dn 
"ldaps://mycompany.com/ou=Domain%20Users,dc=mycompany,dc=com?dn?sub" 
bindwhen=now version=3 binddn="CN=mybindacct,ou=Domain 
Users,DC=mycompany,DC=com" credentials=**

# Then we need to detect UPN DN
# note that the rule in case of match stops rewriting
# In case we are mapping virtual
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDN
# rewrite context overrides the default definition.

rwm-rewriteContext bindDN
rwm-rewriteRule "^[^=,]+@mycompany.com$" "mail=$0" ":"
rwm-rewriteRule "^mail=[^,]+@mycompany.com$" "${attr2dn($0)}" ":@"



### Database definition (Proxy to AD) #
databaseldap
readonlyyes
protocol-version3
rebind-as-user
uri "ldaps://mycompany.com"
suffix  "dc=mycompany,dc=com"



Thanks,

Steve Vandenburgh


This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.