First, please note that I have experience with Linux, but for some reason, the OpenLDAP proxy authentication has me very confused and so I'm hoping someone can simply answer my questions to help me better understand it. I was following this tutorial to set up a proxy to a Active Directory authentication (https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD).
Some notes:
The OpenLDAP server's IP is 10.41.22.103
The Windows AD server IP is 10.41.22.100
OpenLDAP admin account is cn=admin,dc=example,dc=com
Following the tutorial, here are the files I modified.
My slapd.conf file (/etc/ldap/slapd.conf):
### Schema includes ####
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
## Module paths ##############################################################
modulepath /usr/lib/ldap
moduleload back_ldap
moduleload rwm
# Main settings ###############################################################
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://10.41.22.100:389"
suffix "dc=OneGeo,dc=local"
overlay rwm
rwm-map attribute uid sAMAccountName
#rwm-map attribute mail proxyAddresses
### Logging ###################################################################
logfile /var/log/slapd/slapd.log
loglevel 0
In my Server 2012 AD, I created a user as requested and this is its DN:
CN=nslcd connect,CN=Users,DC=OneGeo,DC=local
Here is what I put into the core.schema (/etc/ldap/schema/core.schema):
####sAMAccountName AttributeType####
attributetype ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
Here is what I put into the nslcd.conf file (/etc/nslcd.conf):
# Mappings for Active Directory
pagesize 1000
referrals off
# Passwd
filter passwd (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map passwd homeDirectory UnixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
# Shadow
filter shadow (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map shadow shadowLastChange pwdLastSet
##new
filter passwd (uid=*)
# Groups
#filter group (&(objectClass=posixGroup)(gidNumber=*))
filter group (&(objectClass=group)(gidNumber=*))
#map group gid member
# Local account for nsclcd
uid nslcd
##gid ldap
gid nslcd
# Where is the LDAP
uri ldap://10.41.22.100:389
base dc=OneGeo,dc=local
# Connect-Account
binddn CN=nslcd\connect,CN=Users,DC=OneGeo,DC=local
bindpw n3m3s1s
ssl no
The last step in that tutorial mentions the pam_ldap.conf file, but I can't seem to find it on the OpenLDAP server. Here are some questions I have (more will probably come):
- Where is the pam_ldap.conf file and should it be on the OpenLDAP server or on a client?
- Once all of this is set up properly, how do I fully test it to ensure authentication is happening at the AD level? I'm really confused about this part!
Thank you!
- Christian
