Le 16/06/2022 à 09:25, [email protected] a écrit :
Hi all.
So, I'm trying to basically put a band-aid over an intentionally broken LDAP
implementation. We use Okta as our single source of truth for directory services, and its
implementation of LDAP intentionally leaves out uidNumber and gidNumber (and you can't
change this) in order to force you to use their insanely expensive "Advanced Server
Access" product. This $9500/yr expense for a minimum of 50 machines is a non-starter
for the lab project we are trying to get working with LDAP. We're only talking about ~10
machines here and we very much want them to be ultimately authenticating against Okta for
their passwords -- because this automatically MFAs them by default, and prevents
credential proliferation for the services we run in the lab.
So basically what I want to do is set up an LDAP server which passes just about
everything through to Okta, but keeps consistent uidNumber and gidNumber values
for each user in Okta who logs in.
I think this is possible either with the "meta" backend or the "ldap" backend
or both, but I'm not clear on how to configure these. I've followed this guide to get OpenLDAP
working on a Rocky 8 server: https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/
But that guide does not contain instructions for something like this, and even the
OpenLDAP documentation is scarce when it comes to configuring backends. e.g.:
https://www.openldap.org/doc/admin26/backends.html#LDAP even just for LDAP there is no
indication of how I would introduce the bind DN for the backend LDAP or how it would know
what to add, and the "meta" backend has no implementation details at all:
https://www.openldap.org/doc/admin26/backends.html#Metadirectory
Hello Jarett,
another approach would be to create a local OpenLDAP server and
synchronize it with Okta LDAP server with LSC: https://lsc-project.org/
You will then be able to easily manage local attributes.
--
Clément Oudot | Identity Solutions Manager
[email protected]
Worteks | https://www.worteks.com
