0

I have a linux (4.1.12-61.1.34.el6uek.x86_64) box with a slapd service (slapd 2.4.40). What I'm trying to achieve is to transparently proxy all client ldap related traffic through this slapd instance to an Active Directory server. The reason I need to do this is that the traffic needs to be tunneled via TLS 1.2 and my client application does not support it. Unfortunaltely I don't have control over the client, it's a given.

The client needs to authenticate against the AD using a username and pwd provided by a user. And then obtain the list of groups this user belongs to, fairly straightforward. The server requires simple bind with a bind user and plain text password. When I attempt to query the AD server through the slapd instance I always get below error (when running slapd -f slapd.conf -d 4 -d 16 -d 32)

send_ldap_result: err=49 matched="" text=""

Which essentially means that authentication fails. When I bypass my slapd proxy and use ldapsearch to connect to the AD directly everything works flawlessly.

ldapsearch via slapd (gives error):

ldapsearch -H ldap://localhost -x -D cn=user,ou=bind,dc=domain,dc=com -W -s sub "(cn=VNA-*)" -v

ldapsearch direct (no error, returns results from AD):

ldapsearch -H ldaps://ad.domain.com:636 -x -D cn=user,ou=bind,dc=domain,dc=com -W -s sub "(cn=VNA-*)" -v

I have tried playing with all of the various options mainly in idassert-bind, but none seem to make any difference. I would appreciate any help in getting this to work.

My slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema


# Global options
loglevel 256
sizelimit unlimited
idletimeout             3600
writetimeout            600
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
allow bind_v2

# Modules
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload back_ldap

TLSCACertificateFile    /etc/openldap/cacerts/cacert.pem

database ldap
readonly yes
uri "ldaps://ad.domain.com:636"
suffix "dc=domain,dc=com"
idassert-bind bindmethod=simple
        mode=self
        binddn="cn=user,ou=bind,dc=domain,dc=com"
        credentials=secret
        tls_reqcert=never
        tls_cacert=/etc/openldap/cacerts/cacert.pem
idassert-authzFrom      "*"
Hintham
  • 101
  • 1

1 Answers1

0

I finally gave up on this and used stunnel instead, works like a charm.

Hintham
  • 101
  • 1