wiki.samba.org
Open in
urlscan Pro
2a01:4f8:192:486::2:5
Public Scan
URL:
https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
Submission: On September 06 via manual from IN
Submission: On September 06 via manual from IN
Form analysis 1 forms found in the DOM
https://wiki.samba.org/index.php
<form action="https://wiki.samba.org/index.php" id="searchform">
<div id="simpleSearch">
<div id="searchInput-container"><input type="search" name="search" placeholder="Search SambaWiki" title="Search SambaWiki [alt-shift-f]" accesskey="f" id="searchInput"></div><input type="hidden" value="Special:Search" name="title"><input
type="submit" name="fulltext" value="Search" title="Search the pages for this text" id="mw-searchButton" class="searchButton mw-fallbackSearchButton"><input type="submit" name="go" value="Go"
title="Go to a page with this exact name if it exists" id="searchButton" class="searchButton">
</div>
</form>Text Content
ANONYMOUS
NOT LOGGED IN
* Create account
* Log in
SambaWiki
SEARCH
OPENLDAP AS PROXY TO AD
From SambaWiki
NAMESPACES
* Page
* Discussion
MORE
* More
* Languages
PAGE ACTIONS
* Read
* View source
* History
CONTENTS
* 1 openLDAP as proxy to Active Directory
* 2 Nslcd: Retrieve user/groups from AD through openLDAP proxy
* 3 Authentication against AD through openLDAP proxy
OPENLDAP AS PROXY TO ACTIVE DIRECTORY
Example of where you might need this: If you don't want to have a DC with all
its services and open ports in your DMZ, you can setup a back-ldap proxy with
openLDAP. You can then limit access to your DC to just this one host and the
LDAP port 389, all services on other hosts in your DMZ will access the AD using
the proxy.
* Use the following slapd.conf example:
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm
# Main settings ###############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldap://{AD-Hostname/IP}:389"
suffix "{your Domain DN}"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses
### Logging ###################################################################
loglevel 0
If you already have an openLDAP server with a local database running, you can
just add the proxy part, as long as your AD resides in a different branch.
* If you don't need to remap attributes (e.g. mapping "sAMAccountName" to "uid"
and "proxyAddresses" to "mail" in the example above), you can skip these
parameters.
* If you do remap attributes, then, when using ldap/slap commands, you may get
errors similar to (for the above two remappings):
/etc/openldap/slapd.conf: line 28: warning, destination attributeType 'sAMAccountName' is not defined in schema
PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
/etc/openldap/slapd.conf: line 29: warning, destination attributeType 'proxyAddresses' is not defined in schema
PROXIED attributeDescription "PROXYADDRESSES" inserted.
This happens if you remap attributes that are not defined in your included
schemas. Search the web to get the valid schema entries, add them to a file and
include it in slapd.conf. For the above two mappings, the following should be in
the schema file to stop the two errors occurring:
attributetype ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
attributetype ( 1.2.840.113556.1.2.210
NAME 'proxyAddresses'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
* Restart the openLDAP service.
NSLCD: RETRIEVE USER/GROUPS FROM AD THROUGH OPENLDAP PROXY
Example of where you need this: You need to resolve user/groups from AD through
an openLDAP proxy, because you want to see the usernames/groups instead of
UIDs/GIDs. Or you need to provide authentication to AD through the openLDAP
proxy.
* This requires that you have successfully configured an openLDAP proxy to AD.
* Create a new user in ADUC or with samba-tool, that nslcd will use for
connecting to the AD (I'd used "nslcd-connect" in the example below).
* Adapt the following "/etc/nlscd.conf" example to your environment:
# Mappings for Active Directory
pagesize 1000
referrals off
# Passwd
filter passwd (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map passwd homeDirectory UnixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
# Shadow
filter shadow (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map shadow shadowLastChange pwdLastSet
# Groups
filter group (&(objectClass=posixGroup)(gidNumber=*))
map group uniqueMember member
# Local account for nsclcd
uid nslcd
gid ldap
# Where is the LDAP
uri ldap://{openLDAP-Proxy-Hostname/IP}:389
base cn=Users,{your Domain DN}
# Connect-Account
binddn cn=nslcd-connect,cn=Users,{your Domain DN}
bindpw {password}
This example assumes, that you've mapped the attribute "sAMAccountName" to
"uid", like in the example of openLDAP proxy to AD above. Otherwise you have to
map the attribute here. Also it is required, that the user accounts have an
uidNumber and the groups a gidNumber attribute.
* Start the nslcd service.
AUTHENTICATION AGAINST AD THROUGH OPENLDAP PROXY
Example of where you need this: You want to authenticate users through an
openLDAP proxy against AD.
* This requires that you have successfully configured Nslcd that uses an
openLDAP proxy to AD to get the user information to the system..
* Edit your "/etc/pam_ldap.conf" the following way:
base {your Domain DN}
binddn cn=nslcd-connect,cn=Users,{your Domain DN}
bindpw {password}
bind_policy soft
uri ldap://{openLDAP-Proxy-Hostname/IP}:389/
ssl no
--------------------------------------------------------------------------------
Retrieved from
"https://wiki.samba.org/index.php?title=OpenLDAP_as_proxy_to_AD&oldid=13287"
Category:
* Active Directory
NAVIGATION
NAVIGATION
* Main Page
* User Documentation
* Developer Documentation
* Categories
* Current Events
* Recent Changes
* Random Page
* Report Samba Bug
* Report Doc Bug
WIKI TOOLS
WIKI TOOLS
* Special pages
PAGE TOOLS
PAGE TOOLS
USERPAGE TOOLS
MORE
* What links here
* Related changes
* Printable version
* Permanent link
* Page information
* Page logs
CATEGORIES
CATEGORIES
* Active Directory
* This page was last edited on 26 February 2017, at 21:52.
* This page has been accessed 81,116 times.
* Content is available under CC-BY unless otherwise noted.
* Privacy policy
* About SambaWiki
* Disclaimers