Jan 08

openldap en 3 AD servers

Recently I had to use 3 AD's for the login on one application. The only solution I could think of was to proxy the requests from a local openldap towards the correct AD. Problem lied in that those 3 AD's were on different networks and not linked to each other. Luckily there were no duplicate users on the 3 different AD's

As I had a bit more issues to get it setup here are the steps:

1) create a schema that defines sAmAccountName and add it to slapd.conf: 

attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

2) Add following config (change for your needs) to slapd.conf 

 # settings for AD3
 database    meta
 suffix         "dc=ad3,dc=grouped,dc=all"
 subordinate
 uri             "ldap://ip3/dc=ad3,dc=grouped,dc=all"
 suffixmassage   "dc=ad3,dc=grouped,dc=all" "ou=users,ou=bleh,dc=blah,dc=be"
 rewriteEngine on 
 RewriteRule "sAmAccountName=(.*),dc=ad3,dc=grouped,dc=all$" "%1ou=users,ou=bleh,dc=blah,dc=be" ":"
 idassert-bind bindmethod=simple
  binddn="dn3"
  credentials="pw3"

 # settings for AD2
 database    meta
 suffix         "dc=ad2,dc=grouped,dc=all"
 subordinate
 uri             "ldap://ip2/dc=ad2,dc=grouped,dc=all"
 suffixmassage   "dc=ad2,dc=grouped,dc=all" "ou=users,ou=foo,dc=bar,dc=be"
 rewriteEngine on 
 RewriteRule "sAmAccountName=(.*)dc=ad2,dc=grouped,dc=all$" "%1ou=users,ou=foo,dc=bar,dc=be" ":"
 idassert-bind bindmethod=simple
  binddn="dn2"
  credentials="pw2"
 
 #settings for AD1
 database    meta
 suffix         "dc=grouped,dc=all"
 rootdn        "cn=user,dc=grouped,dc=all"
 rootpw       "userpw"
 uri             "ldap://ip1/dc=grouped,dc=all"
 suffixmassage   "dc=grouped,dc=all" "ou=users,ou=fuu,dc=bal"
 rewriteEngine on 
 RewriteRule "sAmAccountName=(.*)dc=grouped,dc=all$" "%1ou=users,ou=fu,dc=bal" ":"
 idassert-bind bindmethod=simple
  binddn="dn1"
  credentials="pw1"
How does this work? Well the last entry (must be the last!!!) is the basedn that you will search with your application and it user the "user" as login. This will be tho top level and underneath the 2 subordinates will reside (dc=ad2|3,dc=grouped,dc=all). If you do not use the subordinate it will not search users in the ad2|3. The rest should be pretty obvious and basic... llap!

Tags:

About

I'm Jochen Maes, a nerd, enough said! (contact info on the about page)

Subscribe

Recent Posts

Archive

Popular Posts

Django Popular


Locations of visitors to this page