Re: Question about OpenLDAP and rwm overlay

2020-01-17 Thread Ondřej Kuzník 
On Mon, Jan 13, 2020 at 10:20:07PM +, Vandenburgh, Steve Y wrote:
> Michael,
> 
> I know this thread is old, but wanted to follow up by asking: would it
> be possible to delay the BIND DN syntax check until after rwm
> manipulations are completed?  Unfortunately, there is a lot of client
> software that is dependent on this quirk but it would be very
> beneficial to be able to use OpenLDAP as a proxy to AD.  I suspect
> that delaying the syntax check until after rwm manipulations would
> allow UPN-based authentication to work.

Hi Steve,
DN validation for binds/search bases/... happens way too early in the
frontend for this to be possible. Same reason why you can't write a
slapd module to handle the magic '' AD DNs.

Regards,

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation   http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Re: Question about OpenLDAP and rwm overlay

2020-01-13 Thread Michael Ströder 
On 1/13/20 11:20 PM, Vandenburgh, Steve Y wrote:
> I know this thread is old, but wanted to follow up by asking: would
> it be possible to delay the BIND DN syntax check until after rwm
> manipulations are completed?
AFAIK it is not possible.

Note that slapo-rwm operates on syntactically correct DNs.

Ciao, Michael.

> -Original Message-
> From: Michael Ströder 
> Sent: Tuesday, October 29, 2019 4:06 PM
> To: Vandenburgh, Steve Y 
> Cc: openldap-technical@openldap.org
> Subject: Re: Question about OpenLDAP and rwm overlay
> 
> On 10/29/19 4:55 AM, Vandenburgh, Steve Y wrote:
>> I'm trying to perform a simple bind operation with a UPN and password.
> 
> This AD-specific quirk is not possible with OpenLDAP.
> 
> Ciao, Michael.

RE: Question about OpenLDAP and rwm overlay

2020-01-13 Thread Vandenburgh, Steve Y 
Michael,

I know this thread is old, but wanted to follow up by asking: would it be 
possible to delay the BIND DN syntax check until after rwm manipulations are 
completed?  Unfortunately, there is a lot of client software that is dependent 
on this quirk but it would be very beneficial to be able to use OpenLDAP as a 
proxy to AD.  I suspect that delaying the syntax check until after rwm 
manipulations would allow UPN-based authentication to work.

Thanks,

Steve Vandenburgh


-Original Message-
From: Michael Ströder 
Sent: Tuesday, October 29, 2019 4:06 PM
To: Vandenburgh, Steve Y 
Cc: openldap-technical@openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay

On 10/29/19 4:55 AM, Vandenburgh, Steve Y wrote:
> I'm trying to perform a simple bind operation with a UPN and password.

This AD-specific quirk is not possible with OpenLDAP.

Ciao, Michael.
This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

Re: Question about OpenLDAP and rwm overlay

2019-10-29 Thread Michael Ströder 
On 10/29/19 4:55 AM, Vandenburgh, Steve Y wrote:
> I'm trying to perform a simple bind operation with a UPN and password.

This AD-specific quirk is not possible with OpenLDAP.

Ciao, Michael.

RE: Question about OpenLDAP and rwm overlay

2019-10-29 Thread Vandenburgh, Steve Y 
Thanks Dieter.  I'm trying to perform a simple bind operation with a UPN and 
password.  Based on this OpenLDAP mail archive: 
https://openldap-technical.openldap.narkive.com/8IrfS6xa/binding-with-an-e-mail-address
 authid-rewrite or olcAuthIdRewrite can only be used to modify the DN for SASL 
or certificate-based authentication; it can't be used to modify simple bind 
DNs.  Is that still the case?  Or is this information now out of date.

Thanks again,

Steve Vandenburgh
LDAP Directory Services/Identity Management
CenturyLink
(720)738-2688

-Original Message-
From: Dieter Kluenter 
Sent: Monday, October 28, 2019 12:44 PM
To: Vandenburgh, Steve Y 
Cc: openldap-technical@openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay

"Vandenburgh, Steve Y"  writes:

> Thanks for the tip Quanah (and Dieter).  I have added the MSUser
> schema to the configuration.  However, I'm still getting the same
> behavior.  If I use a bind DN like
>
> Mail=myn...@mycompany.com
>
> which is potentially a valid DN, the rewriting is applied; however if
> the bind DN is just the email address e.g.
>
> myn...@mycompany.com
>
> then the OpenLDAP returns error 34 (invalid DN).  So before I do more
> troubleshooting, I wanted to ask if the rewrite rules can be applied
> before the syntax check on the bind DN is done.  If the OpenLDAP
> server always performs the syntax check on the DN before any rewrite
> rules are applied, then what I'm trying to accomplish (using a
> Microsoft UPN bind DN) cannot be done.

For this sort of DN rewriting slapd.conf(5) provides 'authid-rewrite' or 
'olcAuthIdRewrite' in slapd-config(5).

-Dieter

--
Dieter Klünter | Systemberatung
https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fsys4.de=BF35EA59-95FC-E405-A296-EA371276D9A5=19120be9529b25014b618505cb01789c5433dae7-d57a36d411cd972d033d00376dd4c373c462277f
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

RE: Question about OpenLDAP and rwm overlay

2019-10-29 Thread Vandenburgh, Steve Y 
Thanks for the tip Quanah (and Dieter).  I have added the MSUser schema to the 
configuration.  However, I'm still getting the same behavior.  If I use a bind 
DN like

Mail=myn...@mycompany.com

which is potentially a valid DN, the rewriting is applied; however if the bind 
DN is just the email address e.g.

myn...@mycompany.com

then the OpenLDAP returns error 34 (invalid DN).  So before I do more 
troubleshooting, I wanted to ask if the rewrite rules can be applied before the 
syntax check on the bind DN is done.  If the OpenLDAP server always performs 
the syntax check on the DN before any rewrite rules are applied, then what I'm 
trying to accomplish (using a Microsoft UPN bind DN) cannot be done.

Thanks again,

Steve Vandenburgh
LDAP Directory Services/Identity Management
CenturyLink
(720)738-2688

-Original Message-
From: openldap-technical  On Behalf Of 
Quanah Gibson-Mount
Sent: Saturday, October 26, 2019 1:57 PM
To: Dieter Klünter ; openldap-technical@openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay



--On Saturday, October 26, 2019 9:27 PM +0200 Dieter Klünter 
 wrote:

> [...]
> slapd requires part of AD schemas in order to operate back-ldap
> properly. Thus write a private schema, providing required attribute
> types and object classes.

The MSUser schema in OpenLDAP master may be useful for this.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.symas.com=AE42BD9E-95D5-B405-A685-740CAF9B7769=19120be9529b25014b618505cb01789c5433dae7-ad787404dd2d33e665cc543b477f7fd3a84aba08>

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

Re: Question about OpenLDAP and rwm overlay

2019-10-28 Thread Dieter Kluenter 
"Vandenburgh, Steve Y"  writes:

> Thanks for the tip Quanah (and Dieter).  I have added the MSUser
> schema to the configuration.  However, I'm still getting the same
> behavior.  If I use a bind DN like
>
> Mail=myn...@mycompany.com
>
> which is potentially a valid DN, the rewriting is applied; however if
> the bind DN is just the email address e.g.
>
> myn...@mycompany.com
>
> then the OpenLDAP returns error 34 (invalid DN).  So before I do more
> troubleshooting, I wanted to ask if the rewrite rules can be applied
> before the syntax check on the bind DN is done.  If the OpenLDAP
> server always performs the syntax check on the DN before any rewrite
> rules are applied, then what I'm trying to accomplish (using a
> Microsoft UPN bind DN) cannot be done.

For this sort of DN rewriting slapd.conf(5) provides
'authid-rewrite' or 'olcAuthIdRewrite' in slapd-config(5).

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Question about OpenLDAP and rwm overlay

2019-10-26 Thread Quanah Gibson-Mount 




--On Saturday, October 26, 2019 9:27 PM +0200 Dieter Klünter 
 wrote:



[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.


The MSUser schema in OpenLDAP master may be useful for this.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Question about OpenLDAP and rwm overlay

2019-10-26 Thread Dieter Klünter 
Am Sat, 26 Oct 2019 00:28:36 +
schrieb "Vandenburgh, Steve Y" :

> I'm attempting to use OpenLDAP as a proxy to an Active Directory
> domain.  Using the ldap backend, I'm able to configure the proxy and
> that configuration seems to be working well.   But account entries
> are frequently moved from ou to ou in a domain and Microsoft permits
> the bind DN to be a userPrincipalName attribute value of the entry
> instead of the full DN of the account; this features avoids having to
> make many bind DN application configuration changes.
> 
> With just the ldap backend configured, OpenLDAP rejects the
> userPrincipalName (UPN) bind DN as an invalid DN.  To work around
> this error, I was trying to see if I could use the rwm overlay to
> detect the UPN  and convert to the actual domain entry DN using an
> attribute map.  If I use the form
> 
> mail=UPN
> 
> the map works as expected; however, if I only provide the UPN as the
> bind DN, OpenLDAP still rejects it as an invalid DN.   I suspect that
> the rwm overlay manipulations to not take effect until after the bind
> DN syntax is checked.  I wanted to confirm my suspicion and see if
> any one else has been able to get a UPN-based bind to work through
> OpenLDAP.
> 
> For reference my slapd.conf configuration is below:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Question about OpenLDAP and rwm overlay

2019-10-26 Thread Vandenburgh, Steve Y 
I'm attempting to use OpenLDAP as a proxy to an Active Directory domain.  Using 
the ldap backend, I'm able to configure the proxy and that configuration seems 
to be working well.   But account entries are frequently moved from ou to ou in 
a domain and Microsoft permits the bind DN to be a userPrincipalName attribute 
value of the entry instead of the full DN of the account; this features avoids 
having to make many bind DN application configuration changes.

With just the ldap backend configured, OpenLDAP rejects the userPrincipalName 
(UPN) bind DN as an invalid DN.  To work around this error, I was trying to see 
if I could use the rwm overlay to detect the UPN  and convert to the actual 
domain entry DN using an attribute map.  If I use the form

mail=UPN

the map works as expected; however, if I only provide the UPN as the bind DN, 
OpenLDAP still rejects it as an invalid DN.   I suspect that the rwm overlay 
manipulations to not take effect until after the bind DN syntax is checked.  I 
wanted to confirm my suspicion and see if any one else has been able to get a 
UPN-based bind to work through OpenLDAP.

For reference my slapd.conf configuration is below:

### Schema includes ###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema

## Module paths ##
modulepath  /usr/lib64/openldap/
moduleload  rwm

# Main settings ###
loglevel8
sizelimit   unlimited
idletimeout 600
writetimeout30
allow   bind_v2
pidfile /var/openldap/mycompany/var/slapd.pid
argsfile/var/openldap/mycompany/var/slapd.args
logfile /var/openldap/mycompany/logs/access

TLSCertificateFile   /var/openldap/mycompany/certs/Server.pem
TLSCertificateKeyFile/var/openldap/mycompany/certs/Server.key
TLSCACertificateFile/var/openldap/mycompany/certs/ServerCA.pem

### Rewrite rules #

# Bind with UPN instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# argument used when invoking the map is appended to
# the URI and acts as the filter portion)

overlay rwm
rwm-suffixMassage   "" "dc=mycompany,dc=com"
rwm-rewriteMap ldap attr2dn 
"ldaps://mycompany.com/ou=Domain%20Users,dc=mycompany,dc=com?dn?sub" 
bindwhen=now version=3 binddn="CN=mybindacct,ou=Domain 
Users,DC=mycompany,DC=com" credentials=**

# Then we need to detect UPN DN
# note that the rule in case of match stops rewriting
# In case we are mapping virtual
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDN
# rewrite context overrides the default definition.

rwm-rewriteContext bindDN
rwm-rewriteRule "^[^=,]+@mycompany.com$" "mail=$0" ":"
rwm-rewriteRule "^mail=[^,]+@mycompany.com$" "${attr2dn($0)}" ":@"



### Database definition (Proxy to AD) #
databaseldap
readonlyyes
protocol-version3
rebind-as-user
uri "ldaps://mycompany.com"
suffix  "dc=mycompany,dc=com"



Thanks,

Steve Vandenburgh


This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.