Solved

OpenLDAP Proxy to Active Directy

Posted on 2016-08-17
6
291 Views
Last Modified: 2016-08-25
I am trying to create an OpenLDAP proxy in our DMZ to allow authentication from a Webserver to our ActiveDirectory through OpenLDAP Proxy.

I have spun up a couple servers, one Ubuntu 16.04 with the Latest OpenLDAP installed, and also a CentOS7 with the latest OpenLDAP installed.  (I don't need two servers, I only spun up the CentOS because the article I was following was performed on a redhat os, so it made it easier to follow step by step)

I have been following these two guides to make this work:

However I've run into some trouble along the way, it seems neither of these guide work for me, the paths are never the same as what I have, or I get errors starting the slapd ldap service.

-- Unit slapd.service has begun starting up.
Aug 17 09:36:13 D-APP02 runuser[38747]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Aug 17 09:36:13 D-APP02 runuser[38747]: pam_unix(runuser:session): session closed for user ldap
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: Checking configuration file failed:
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: Unrecognized database type (ldap)
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: 57b4684d /etc/openldap/slapd.conf: line 17: <database> failed init (ldap
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: slaptest: bad configuration file!
Aug 17 09:36:25 D-APP02 slapd[38758]: @(#) $OpenLDAP: slapd 2.4.40 (Mar 31 2016 15:24:52) $
                                              mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/op
Aug 17 09:36:37 D-APP02 slapd[38758]: /etc/openldap/slapd.conf: line 17: <database> failed init (ldap)
Aug 17 09:36:37 D-APP02 slapd[38758]: slapd destroy: freeing system resources.
Aug 17 09:36:37 D-APP02 slapd[38758]: slapd stopped.
Aug 17 09:36:37 D-APP02 slapd[38758]: connections_destroy: nothing to destroy.
Aug 17 09:36:37 D-APP02 slapd[38758]: Unrecognized database type (ldap)
Aug 17 09:36:37 D-APP02 polkitd[10164]: Unregistered Authentication Agent for unix-process:38729:7626184 (system bus nam
Aug 17 09:36:37 D-APP02 systemd[1]: slapd.service: control process exited, code=exited status=1
Aug 17 09:36:37 D-APP02 systemd[1]: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed

Open in new window


I'm very new to all this, I have limited Linux knowledge, so when I get into a jam I'm not sure how to troubleshoot it.

Thanks for your time, hopefully someone can help me with this.

Steve
0
Comment
Question by:Lambton
  • 3
  • 3
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 41761370
Can you post your sladp.conf file?

slapd does not like whatever is on line 17.
0
 

Author Comment

by:Lambton
ID: 41761458
Here you go...

# Import our schema
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel        1

# Our primary back end
database        bdb
suffix          "dc=county-lambton,dc=on,dc=ca"
rootdn          "cn=coladmin,dc=county-lambton,dc=on,dc=ca"
rootpw          "mypassword"
directory       /var/lib/ldap
# Indexes for this back end
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub

Open in new window


Thanks!
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41761478
Are you sure that is the slapd.conf file that was being used when you tried to start slapd?

That configuration file is setup for use on a "real" ldap server, not a proxy.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Lambton
ID: 41761545
Oh crap, sorry - I've got three of these going trying to make this work - I've re installed and reconfigured these things a dozen times trying to get it to work...  it's likely on a different server, sorry...

it was this I think:


# Import our schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel        1

# Our slapd-ldap back end to connect to AD

database        ldap
suffix          "dc=county-lambton,dc=on,dc=ca"
subordinate
rebind-as-user
uri             "ldap://coldc1.county-lambton.on.ca"
chase-referrals yes

# Our primary back end

database        bdb
suffix          "dc=county-lambton,dc=on,dc=ca"
rootdn          "cn=coladmin,dc=county-lambton,dc=on,dc=ca"
rootpw          "mypassword"
directory       /var/lib/ldap
# Indexes for this back end
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub

Open in new window

0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 41761891
The error: "Unrecognized database type (ldap)" means that you did not load the back_ldap module.

You need to find where that module is and add the following to your slapd.conf:

        modulepath  ../servers/slapd/back-monitor/
        moduleload  back_monitor.la


The modulepath statments needs to be changed to reflect there your module is.
0
 

Author Closing Comment

by:Lambton
ID: 41770284
That was it - thanks very much!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question