Am Tue, 1 Oct 2019 18:35:16 +1000 schrieb Drikus Brits <[email protected]>:
> Heya experts. > > I need some guidance. I am having difficulty deploying my > requirements. I need to deploy a couple of U18 servers/containers. > These servers all needs to authenticate with LDAP accounts that is > active and in a certain group on AD, but the IT team doesn't want to > allow IPs and ports from servers across the network and so I have to > set up a ldap proxy that will speak to AD on behalf of all the other > machines eg jumphost. The windows AD cannot be modified to add extra > groups eg posixAccount, uidNumber, gidNumber, loginShell, > homeDirectory etc. > > I can successfully run a ldapsearch from the proxy machine to the AD > and query a user based on the sAMAccountName and am getting successful > results back from AD. However, when the jumphost (proxy set as ldap > authhost) tries to authenticate with the proxy, then I see the request > coming in from the jumphost to ldap proxy, and see the ldap proxy > sending the request to the windows AD, but it forwards the same > details as it sent to the local to the remote; eg > objectClass=posixAccount, uid=testuser. This doesn't exist on the AD > and so returns no result. I've tried to do rewrites and according to > the packet captures, saw that the rewrite was working somewhat. I was > able to rewrite uid to sAMAccountName, but not sure what to rewrite > the posixAccount to.... > > So ideally what I'd like to see happening is that : > > 1) user logs onto jumphost with username "testuser" > 2) user lookup & authentication goes to ldap_proxy > 3) ldap_proxy send request to AD to check if user exists and is active > and match against the password > 4) upon username=exists, is=active, password=ok return the result to > ldap_proxy 5) ldap_proxy returns the necessary to jumphost eg; > a) posixAccount > b) homeDirectory > c) loginShell > > I've tried following a couple of different options to make it work, > but right now I'm not sure which option is the correct one eg; (mdb > config + ldap backend) or (meta + ldap backend ) or ( ldap + pcache ) > and whether to rewrite or not to rewrite. From my understanding, I am > looking for something that sounds like a meta setup that combines the > local and remote data...is my understanding correct? > > I've seen this working at a previous employer but not sure whether > their AD was modified and that is why it was working there, or whether > the solution is workable without having to force the IT guys' hand and > add extra vars.. > > I've scouted the openldap mailing list as well for answers but there > is a plethora of no replies and some replies that somewhat matches > what I'm trying to do... > > Any guidance would be super appreciated > Create a private schema based on AD attribute types and load this schema to ldap proxy. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
