Solved

OpenLDAP Proxy to Active Directy

Posted on 2016-08-17
6
216 Views
Last Modified: 2016-08-25
I am trying to create an OpenLDAP proxy in our DMZ to allow authentication from a Webserver to our ActiveDirectory through OpenLDAP Proxy.

I have spun up a couple servers, one Ubuntu 16.04 with the Latest OpenLDAP installed, and also a CentOS7 with the latest OpenLDAP installed.  (I don't need two servers, I only spun up the CentOS because the article I was following was performed on a redhat os, so it made it easier to follow step by step)

I have been following these two guides to make this work:

However I've run into some trouble along the way, it seems neither of these guide work for me, the paths are never the same as what I have, or I get errors starting the slapd ldap service.

-- Unit slapd.service has begun starting up.
Aug 17 09:36:13 D-APP02 runuser[38747]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Aug 17 09:36:13 D-APP02 runuser[38747]: pam_unix(runuser:session): session closed for user ldap
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: Checking configuration file failed:
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: Unrecognized database type (ldap)
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: 57b4684d /etc/openldap/slapd.conf: line 17: <database> failed init (ldap
Aug 17 09:36:13 D-APP02 check-config.sh[38744]: slaptest: bad configuration file!
Aug 17 09:36:25 D-APP02 slapd[38758]: @(#) $OpenLDAP: slapd 2.4.40 (Mar 31 2016 15:24:52) $
                                              mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/op
Aug 17 09:36:37 D-APP02 slapd[38758]: /etc/openldap/slapd.conf: line 17: <database> failed init (ldap)
Aug 17 09:36:37 D-APP02 slapd[38758]: slapd destroy: freeing system resources.
Aug 17 09:36:37 D-APP02 slapd[38758]: slapd stopped.
Aug 17 09:36:37 D-APP02 slapd[38758]: connections_destroy: nothing to destroy.
Aug 17 09:36:37 D-APP02 slapd[38758]: Unrecognized database type (ldap)
Aug 17 09:36:37 D-APP02 polkitd[10164]: Unregistered Authentication Agent for unix-process:38729:7626184 (system bus nam
Aug 17 09:36:37 D-APP02 systemd[1]: slapd.service: control process exited, code=exited status=1
Aug 17 09:36:37 D-APP02 systemd[1]: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed

Open in new window


I'm very new to all this, I have limited Linux knowledge, so when I get into a jam I'm not sure how to troubleshoot it.

Thanks for your time, hopefully someone can help me with this.

Steve
0
Comment
Question by:Lambton
  • 3
  • 3
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 41761370
Can you post your sladp.conf file?

slapd does not like whatever is on line 17.
0
 

Author Comment

by:Lambton
ID: 41761458
Here you go...

# Import our schema
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel        1

# Our primary back end
database        bdb
suffix          "dc=county-lambton,dc=on,dc=ca"
rootdn          "cn=coladmin,dc=county-lambton,dc=on,dc=ca"
rootpw          "mypassword"
directory       /var/lib/ldap
# Indexes for this back end
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub

Open in new window


Thanks!
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41761478
Are you sure that is the slapd.conf file that was being used when you tried to start slapd?

That configuration file is setup for use on a "real" ldap server, not a proxy.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Lambton
ID: 41761545
Oh crap, sorry - I've got three of these going trying to make this work - I've re installed and reconfigured these things a dozen times trying to get it to work...  it's likely on a different server, sorry...

it was this I think:


# Import our schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel        1

# Our slapd-ldap back end to connect to AD

database        ldap
suffix          "dc=county-lambton,dc=on,dc=ca"
subordinate
rebind-as-user
uri             "ldap://coldc1.county-lambton.on.ca"
chase-referrals yes

# Our primary back end

database        bdb
suffix          "dc=county-lambton,dc=on,dc=ca"
rootdn          "cn=coladmin,dc=county-lambton,dc=on,dc=ca"
rootpw          "mypassword"
directory       /var/lib/ldap
# Indexes for this back end
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub

Open in new window

0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 41761891
The error: "Unrecognized database type (ldap)" means that you did not load the back_ldap module.

You need to find where that module is and add the following to your slapd.conf:

        modulepath  ../servers/slapd/back-monitor/
        moduleload  back_monitor.la


The modulepath statments needs to be changed to reflect there your module is.
0
 

Author Closing Comment

by:Lambton
ID: 41770284
That was it - thanks very much!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now