We help IT Professionals succeed at work.

OpenLDAP Proxy to Active Directy

Lambton
Lambton asked
on
I am trying to create an OpenLDAP proxy in our DMZ to allow authentication from a Webserver to our ActiveDirectory through OpenLDAP Proxy.

I have spun up a couple servers, one Ubuntu 16.04 with the Latest OpenLDAP installed, and also a CentOS7 with the latest OpenLDAP installed.  (I don't need two servers, I only spun up the CentOS because the article I was following was performed on a redhat os, so it made it easier to follow step by step)

I have been following these two guides to make this work:

However I've run into some trouble along the way, it seems neither of these guide work for me, the paths are never the same as what I have, or I get errors starting the slapd ldap service.

-- Unit slapd.service has begun starting up.
Aug 17 09:36:13 D-APP02 runuser[38747]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Aug 17 09:36:13 D-APP02 runuser[38747]: pam_unix(runuser:session): session closed for user ldap
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: Checking configuration file failed:
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: Unrecognized database type (ldap)
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: 57b4684d /etc/openldap/slapd.conf: line 17: <database> failed init (ldap
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: slaptest: bad configuration file!
Aug 17 09:36:25 D-APP02 slapd[38758]: @(#) $OpenLDAP: slapd 2.4.40 (Mar 31 2016 15:24:52) $
                                              mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/op
Aug 17 09:36:37 D-APP02 slapd[38758]: /etc/openldap/slapd.conf: line 17: <database> failed init (ldap)
Aug 17 09:36:37 D-APP02 slapd[38758]: slapd destroy: freeing system resources.
Aug 17 09:36:37 D-APP02 slapd[38758]: slapd stopped.
Aug 17 09:36:37 D-APP02 slapd[38758]: connections_destroy: nothing to destroy.
Aug 17 09:36:37 D-APP02 slapd[38758]: Unrecognized database type (ldap)
Aug 17 09:36:37 D-APP02 polkitd[10164]: Unregistered Authentication Agent for unix-process:38729:7626184 (system bus nam
Aug 17 09:36:37 D-APP02 systemd[1]: slapd.service: control process exited, code=exited status=1
Aug 17 09:36:37 D-APP02 systemd[1]: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed

Open in new window


I'm very new to all this, I have limited Linux knowledge, so when I get into a jam I'm not sure how to troubleshoot it.

Thanks for your time, hopefully someone can help me with this.

Steve
Comment
Watch Question

Top Expert 2014

Commented:
Can you post your sladp.conf file?

slapd does not like whatever is on line 17.

Author

Commented:
Here you go...

# Import our schema
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel        1

# Our primary back end
database        bdb
suffix          "dc=county-lambton,dc=on,dc=ca"
rootdn          "cn=coladmin,dc=county-lambton,dc=on,dc=ca"
rootpw          "mypassword"
directory       /var/lib/ldap
# Indexes for this back end
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub

Open in new window


Thanks!
Top Expert 2014

Commented:
Are you sure that is the slapd.conf file that was being used when you tried to start slapd?

That configuration file is setup for use on a "real" ldap server, not a proxy.

Author

Commented:
Oh crap, sorry - I've got three of these going trying to make this work - I've re installed and reconfigured these things a dozen times trying to get it to work...  it's likely on a different server, sorry...

it was this I think:


# Import our schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel        1

# Our slapd-ldap back end to connect to AD

database        ldap
suffix          "dc=county-lambton,dc=on,dc=ca"
subordinate
rebind-as-user
uri             "ldap://coldc1.county-lambton.on.ca"
chase-referrals yes

# Our primary back end

database        bdb
suffix          "dc=county-lambton,dc=on,dc=ca"
rootdn          "cn=coladmin,dc=county-lambton,dc=on,dc=ca"
rootpw          "mypassword"
directory       /var/lib/ldap
# Indexes for this back end
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub

Open in new window

Top Expert 2014
Commented:
The error: "Unrecognized database type (ldap)" means that you did not load the back_ldap module.

You need to find where that module is and add the following to your slapd.conf:

        modulepath  ../servers/slapd/back-monitor/
        moduleload  back_monitor.la


The modulepath statments needs to be changed to reflect there your module is.

Author

Commented:
That was it - thanks very much!