OpenLDAP Proxy -- Tricks and tips

  sonic0002        2017-11-04 04:29:38       12,779        0    

Just like other software configuration, there would be issues encountered during the OpenLDAP proxy setup process. In this post, we would try to summarize some of the tricks and tips for OpenLDAP proxy setup.

OpenLDAP Version

We would always recommend that you install the latest version of the OpenLDAP because they contain the latest features, bug fixes and security patches. You should always refer to the latest release notes for new changes. In case you have used an earlier version of OpenLDAP and encountered some bizarre behavior, please try to update to the latest OpenLDAP version first.

Below are some issues we have encountered which get resolved using the latest version.

  • When a remote LDAP server is down, the result will always be an empty list where no other remote LDAP server gets searched
  • When trying to connect to a remote LDAP server which uses SSL, the LDAP query hangs and it never returns

SSL configuration

If you want to provide a secure service to the client, you can enable the SSL capability with below changes.

  • In the configuration, set the certificate file and its private key location and also the CA certificate location. The detailed setting can be found in OpenLDAP Proxy -- slapd.conf.
  • When running the slapd service, you need to specify ldaps:/// in its -h option. See below
    /usr/sbin/slapd -h 'ldap:/// ldapi:/// ldaps:///' -g ldap -u ldap
  • From the client side, connect using port 389 which is the default SSL port.

If you want the proxy to connect to the remote LDAP using SSL, you would need to update the /etc/ldap/ldap.conf in the proxy server if you always want to trust the server's certificate. Basically, you need to add below line in the configuration file.

TLS_REQCERT allow

Simple authentication

In some cases, the remote LDAP server requires authentication when the client queries it. Hence when the LDAP Proxy connects to the remote server, it needs to provide the server binddn and credentials for binding. This can be configured in /etc/ldap/slapd.conf and add the idassert-bind entry after the uri entry.

In addition to this, you also need to create a virtual dn and password for the proxy so that the LDAP client can use to connect. These settings are rootdn and rootpw. After this, you need to add an idassert-authzFrom entry after idassert-bind entry to tell who is authorized to initiate the bind to the remote server. Otherwise, the bind may not work. 

The detailed setting can be found in OpenLDAP Proxy -- slapd.conf.

Attribute mapping

OpenLDAP provides attribute mapping capability so that some attributes in the remote LDAP server can be mapped to some user friendly attribute names the client can refer to. This capability is usually done through the overlay rwm entry. This adds a plugin to the proxy and hence the attribute mapping can be done. However, the attribute mapping is global which means that you cannot have a separate mapping for each remote LDAP server. 

This limitation brings a problem where some attribute mapping requirement cannot be fulfilled. For example, if you have an OpenLDAP based remote LDAP server and a Windows AD based remote LDAP server, the requirement is to map the uid from OpenLDAP server to accountId and the sAMAccountName from Windows AD to accountId as well, this can not be done easily due to the above limitation. If you have below mapping in your configuration

overlay rwm
rwm-map       attribute   accountId  uid
rwm-map       attribute   accountId  sAMAccountName

Only the last mapping will work. The first one is overriden. But what if you want to make two mappings work? You can do following

overlay rwm
rwm-map       attribute   accountId  uid
overlay rwm
rwm-map       attribute   accountId  sAMAccountName

Adding one more overlay rwm entry before the second mapping. To understand more about how overlay works, you can refer to the official documentation. Below is a summary of what it does.

Essentially, overlays represent a means to:

  • customize the behavior of existing backends without changing the backend code and without requiring one to write a new custom backend with complete functionality
  • write functionality of general usefulness that can be applied to different backend types

Hope these tips could help you on your journey of setting up OpenLDAP proxy. Please feel free to comment if you have other tips.

SSL  AUTHENTICATION  OPENLDAP  OPENLDAP PROXY  ATTRIBUTE MAPPING  OVERLAY 

       

  RELATED


  0 COMMENT


No comment for this article.



  RANDOM FUN

Am I going to the past?