0

I have users in OpenLDAP server. They are manually managed.

dn: cn=alice,ou=contoso,dc=combined,dc=internal
mail: [email protected]

dn: cn=bob,ou=fabrikam,dc=combined,dc=internal
mail: [email protected]

It's DN says that user is from company fabrikam or contoso.

When user makes simple bind to OpenLDAP server, I want OpenLDAP to

  • select backend server for this user based on his DN:
    • ou=contoso,... => backend ldap server is 192.168.1.11
    • ou=fabrikam,... => backend ldap server is 192.168.1.12
  • search for user within backend server by mail attribute: (&(mail={orig.mail})(objectClass=user)) to get DN of this user from backend server (back_dn)
  • try to bind as back_dn to backend server using password provided by user and return success or error

I can't find any working example of this, or even something around it, please, help me...

Improve this question
2
  • Doesn't sssd support multiple ldap orgs? Commented Feb 5 at 12:28
  • How sssd came here? I need simple ldap service... @BobGoddard Commented Feb 5 at 16:39

2 Answers 2

Reset to default
1

This guide seems to describe configuring OpenLDAP to behave as an LDAP proxy that proxys auth requests to different back-end LDAP servers. I didn't read through the guide much, and I haven't deployed this kind of proxy service myself, so I don't know for sure whether OpenLDAP can select the desired back-end server on the particular attributes you want.

There are other LDAP proxy solutions that can be found by searching for "LDAP proxy". If OpenLDAP can't meet your needs, perhaps one of the others can.

Improve this answer
1
  • Thanks, but sorry, no. meta database binds makes remote LDAP a part of local LDAP, but it does not allow to manage user independent from remote user. And I need auth only to be passed to remote. Commented Feb 5 at 11:24
1

I don't know of any existing configuration that would work here, but my approach would be to use 'saslauthd' from Cyrus libsasl.

OpenLDAP supports outsourcing Simple Bind authentication to the 'saslauthd' daemon by having user entries with userPassword: {SASL}foo attribute. When a client tries to bind to such an entry, slapd will contact the saslauthd daemon via Unix socket, asking it to validate the username foo with the client's password.

(The same would be done for SASL 'PLAIN' binds, not that anything uses those.)

The real saslauthd happens to have an LDAP backend, although it only supports a single LDAP server. But since the protocol is very simple (listen on /run/saslauthd/mux, receive length-prefixed strings), it would be possible to write a custom saslauthd – e.g. in python – which would understand usernames in some custom format, like user@realm or realm/email@addr (or whatever format you prefer), and would validate the password against the respective LDAP backend server. Then you would only need to figure out how to keep the mail attribute in sync with the new hypothetical userPassword: {SASL}contoso/[email protected] attribute.

(Similarly it might be possible to store just a unique ID in userPassword (e.g. userPassword: {SASL}0183658373ea), and have the custom saslauthd itself query the original OU and 'mail:' address from your frontend directory by searching (userPassword={SASL}$username). As far as I know, slapd is multi-threaded so this approach should not dead-lock... until you run out of worker threads, at least, and then it might dead-lock.)

Improve this answer
1
  • Thank you. Found a little bit easier soulutinon: there is slapo-remoteauth module. When userPassword is empty, it can use some remoteDN and remoteDomain attributes from user, and map like remoteDomain1 = ldapServer1A and ldapServer2A , remoteDomain2 = ldapServer1B and ldapServer2B to authenticate. Still checking this overlay Commented Feb 10 at 13:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.