[email protected] wrote: > Hi all. > > So, I'm trying to basically put a band-aid over an intentionally broken LDAP > implementation. We use Okta as our single source of truth for directory > services, and its implementation of LDAP intentionally leaves out uidNumber > and gidNumber (and you can't change this) in order to force you to use their > insanely expensive "Advanced Server Access" product. This $9500/yr expense > for a minimum of 50 machines is a non-starter for the lab project we are > trying to get working with LDAP. We're only talking about ~10 machines here > and we very much want them to be ultimately authenticating against Okta for > their passwords -- because this automatically MFAs them by default, and > prevents credential proliferation for the services we run in the lab. > > So basically what I want to do is set up an LDAP server which passes just > about everything through to Okta, but keeps consistent uidNumber and > gidNumber values for each user in Okta who logs in. > > I think this is possible either with the "meta" backend or the "ldap" backend > or both, but I'm not clear on how to configure these. I've followed this > guide to get OpenLDAP working on a Rocky 8 server: > https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/ > > But that guide does not contain instructions for something like this, and > even the OpenLDAP documentation is scarce when it comes to configuring > backends. e.g.: https://www.openldap.org/doc/admin26/backends.html#LDAP even > just for LDAP there is no indication of how I would introduce the bind DN for > the backend LDAP or how it would know what to add, and the "meta" backend has > no implementation details at all: > https://www.openldap.org/doc/admin26/backends.html#Metadirectory
Implementation examples are in the test suite. You probably want to use slapo-translucent to maintain the local attributes. > > Help? > > Thanks! > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
