Put a cluster of read-only DC's in one DMZ, then a TCP proxy cluster in front of the DC's, that's in a second DMZ?
On Tue, Oct 14, 2014 at 5:24 PM, Jeff Lebo <[email protected]> wrote: > Yea, the logic I am looking for is: > > If user authenticates with @domain.com, passthrough/redirect authentication > on to LDAP backend, WITHOUT looking for a local entry in the OpenLDAP > database. > > This network doesn't have the resources to maintain another user database, > even if it via some automated sync process... was just hoping to implement a > "dumb" reverse proxy for LDAP in order to prevent storing > usernames/passwords in an Internet facing DMZ (or in the case of using a > Windows LDAP server, putting a DC member in the DMZ). > >> Date: Tue, 14 Oct 2014 17:18:01 -0700 >> Subject: Re: OpenLDAP as proxy to Active Directory backend >> From: [email protected] >> To: [email protected] >> CC: [email protected] >> >> That's right, you have to create LDAP entries for the passthrough >> authentication. I guess you could create some kind of sync service >> between AD and the LDAP proxy, but it might be kind of hairy to get it >> working properly. Others might have better suggestions. >> >> On Tue, Oct 14, 2014 at 5:11 PM, Jeff Lebo <[email protected]> wrote: >> > Bruce, >> > >> > My SASL authentication is working... >> > >> > I am still confused on how to setup OpenLDAP to pass ALL attempts >> > through to >> > SASL. The only method I've found is to create users in a local OpenLDAP >> > database and set the userPassword attribute to {SASL}username@REALM. >> > >> > What am I missing here? >> > >> >> Date: Tue, 14 Oct 2014 16:23:26 -0700 >> >> Subject: Re: OpenLDAP as proxy to Active Directory backend >> >> From: [email protected] >> >> To: [email protected] >> >> CC: [email protected] >> > >> >> >> >> Jeff, >> >> >> >> The basic functionality is there. You can tell OpenLDAP to use SASL >> >> for authentication, against any available SASL mechanism that's >> >> supported on your platform. Part of the story is here: >> >> >> >> http://www.openldap.org/doc/admin24/security.html#Pass-Through >> >> authentication >> >> >> >> Pay very close attention to paragraph 14.5.1. That little SASL config >> >> file (not part of OpenLDAP) will stop the show if it's not right. >> >> >> >> I almost had it working, but I couldn't do it, because I still needed >> >> local LDAP password hashes in my use case. I couldn't get the "{SASL}" >> >> password value to work for some reason. Turning on SASL pass-through >> >> seemed to be an all or nothing choice in my case. You will probably >> >> have to do some work to get it up and running. >> >> >> >> Best, >> >> >> >> --Bruce >> >> >> >> On Tue, Oct 14, 2014 at 1:46 PM, Jeff Lebo <[email protected]> wrote: >> >> > Goal: LDAP server in Internet facing DMZ to provide authentication >> >> > for >> >> > externally hosted applications using internal AD credentials. >> >> > >> >> > I've done a LOT of reading and testing, and there is one thing I am >> >> > still >> >> > not 100% clear on: >> >> > >> >> > Is it possible to do this WITHOUT having a local user database on the >> >> > OpenLDAP proxy? We will have thousands of users that will need to >> >> > authenticate, and I can't maintain another user database (adds, >> >> > removes, >> >> > etc..). Is there a way to make OpenLDAP just act more like a reverse >> >> > proxy >> >> > and forward anything that matches a specific domain on to the >> >> > internal >> >> > LDAP/AD server for password verification? >> >> >>
