Solved

Using the chain overlay to connect openldap to MS Active Directory

Posted on 2006-10-28
13
1,855 Views
Last Modified: 2010-04-20
Does any know if openldap 2.3.27 be used with the chain overlay to resolve from a 2003 ADS server? Specifically, is there any trick to doing the bind? I'd be curious to know if anyone got the bind to work from inside the slapd.conf file. (I can get the bind to work from linux/ldapsearch command line tool to active directory easy enough.)

I’m hoping to get a pointer or two on chaining to active directory from openldap. I have had pretty good luck getting openldap 2.3.27 to chain to other openldap instances. However, if I point it to an active directory service, then I can’t get results. Here is the chaining setup:

#######################################################
# Chaining
#######################################################
overlay                 chain
chain-rebind-as-user    FALSE

chain-uri               "ldap://ads.somedomain.com/"
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod="simple"
                        binddn="cn=adsuser,ou=adsunit,dc=somedomain,dc=com"
                        credentials="xxxxxx"
                        mode="none"


chain-uri               "ldap://ldap2.somedomain.com"
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod="simple"
                        binddn="cn=Manager,dc=somedomain,dc=com"
                        credentials="xxxxx”

########################################

the chain setup from ldap1 (the host of the slapd.conf file) to  ldap2 works fine, but the same setup for ads returns no results as indicated in the ldapsearch below:

ldap1:/usr/local/etc/openldap # ldapsearch -H ldap://localhost/ -LLL -x -b "ou=adsunit,dc=somedomain,dc=com" "(cn=*)"
returns:
cn Referral (10) Matched DN: ou=adsunit,dc=somedomain,dc=com
Referral: ldap://ads.somedomain.com/ou=adsunit,dc=somedomain,dc=com??sub


If I use the same format of ldapsearch aimed directly at the ads server, I get correct results. Starting the openlap server with -d, I see no obvious errors, but if I phony up the bind password I get the exact same output/result. Hence I assume the bind is at least part of the issue. I've tried many variations on the above configuration file.

Any ideas will be appreciated.
0
Comment
Question by:rzup
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 39

Expert Comment

by:noci
ID: 17829659
This is an interesting one....,
from the top of my head i would say there is a problem here..., as the database doesn't look the same.

the ldap.conf regulates the translations that need be done for ads etc.etc.
and that is bypassed here. (well you need to be able to tell that after referal another table is needed....
im not sure)

Have you searched the IBM redbooks?,
http://www.redbooks.ibm.com/

Not exactly a solution, but maybe a place to look for one.
0
 
LVL 39

Expert Comment

by:noci
ID: 17829661
My guess, you need a conditional ldap.conf one for openldap and another for ads,
but that's a guess.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17833112
Hi,

As far as I understand what you want to do is to bring reslults from another LDAP server (in this case AD).

If this is the case you may try "referrals" instead of cahining. you can define a referral in ldap.config too.  I myself did this for some clinet they have theri OpenLDAP server which is tier main repository but they have some egacy Exchange users too and to accept e-mail the email system querries the OpenLDAP server if it can not find any result ten it returns a referral to the Exchange system so that the client is able to query Exchange server AD too.

Cheers,
K.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17833139
Here's some info about referral:

http://www.zytrax.com/books/ldap/ch6/#referral

cheers,
K.
0
 
LVL 1

Author Comment

by:rzup
ID: 17834698
Referrals are chased at the client end, and the project I'm working on has the requirement that referrals be chased on the server side--essentially a requirement for chaining. If I can't get anywhere with chaining, then I may revert to referrals or some type of replication.

I hate to give up without trying to understand the problem, though. Chaining works fine to other openldap servers. Seems odd that I can bind to ADS from the command line with ldapsearch but can't put the same config in a slapd.conf file and have it chain as it normally does. I have a sense of a very small thing being misconfigured, but maybe there is some larger incompatibility.

Thanks for the suggestions.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17838907
Hi,

Chaiing is a type of referal but only it is processed by the server not the client. As you know AD is a "Windowsized" LDAP server so that it does not allow querries below root to be run without binding and furthermore it will require a base DN if you are querrying all records i.e., without any specifiers.

So in fact the query you've presented above will not return results from the AD. It will complain about ther's not a bind DN. I see that you've included the binddn in your config file will you include a basedn  too ?

In fact the query should be similar to that with LDAPSearch tool:

ldapsearch -x -D "cn=Administrator,cn=Users,dc=somecompany,dc=com" -b dc=somecompany,dc=com -W -H ldap://Some_IP_to_AD/

While it won't when you don't specify a basedn.

I hope this helps.

PS be sure to use LDAPV3 since LDAPV2 may not follow referrals. (as far sa I remember from a previous project)

Cheers,
K.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17838937
Will you try this:

ldapsearch -x -D "cn=adsuser,ou=adsunit,dc=somedomain,dc=com" -b dc=somecompany,dc=com -W -H ldap://localhost/

and once more with ldap://ads.somecompany.com/
0
 
LVL 1

Author Comment

by:rzup
ID: 17839059
Well, KeremeE, you've hit the question on the head:

The error, in the first case, is invalid credentials because the binding credential is good on ADS but not on localhost (ldap1), and the chaining doesn't work.

If I change to  -H ldap://ads/ it works fine.

The question is how to successfully embed the credential in the chain directive so that the first case works. Thanks.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17839239
I guess may be there's a problem with reauthentication through shasing referrals. In ths case may be you can try:


chain-idassert-bind
                 .....              
                mode=self

instead of mode=none in you configuration.

0
 
LVL 1

Author Comment

by:rzup
ID: 17839248
Over the past few days I've tried every variation on that bind I could distantly imagine. self, none, leaving it out, etc.  Thanks, though.
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 400 total points
ID: 17839420
Do you think

overlay     xxx
chain-chaining resolve=chainingPreferred continuation=cahiningPreferred (or chainingRequired)

chain-idassert-bind
                 .....    
                 mode=self          
               
would do some good ?

 
0
 
LVL 39

Assisted Solution

by:noci
noci earned 100 total points
ID: 17840379
The general format of a URL is:

protocol://username:password@host:port/path/to/resource?query

This goes for http[s], ftp etc.
Would it help here?

like:

ldap://cn=adsuser,ou=adsunit,dc=somedomain,dc=com:xxxxxx@ads.somedomain.com/
0
 

Expert Comment

by:j0nnyhb
ID: 31306927
I'm sorry, I don't understand how the last 2 posts solved this issue (I'm trying the same thing ;o) ) ... rzup, could you post how you got this to work?  Thanks in advance!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now