Posted on by

#StackBounty: #active-directory #openldap #ldap-translucent Slapd translucent proxy and AD override

Bounty: 50

We try to set up an OpenLdap server (slapd) on Ubuntu 18.04 to reach this goal: Create custom group in the slapd server with members from the ActiveDirectory (AD).

Now we set up a translucent proxy (because seems it’s doing what we want) as following:

/etc/ldap# cat slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

# Include schemas
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
#include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/ad.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

modulepath /usr/lib/ldap
moduleload back_meta
moduleload back_mdb
moduleload back_ldap
moduleload back_hdb
moduleload rwm
moduleload translucent
#moduleload memberof
moduleload pcache

# Enable TLS
#TLSCACertificateFile /etc/ldap/ca.pem
#TLSCertificateFile /etc/ldap/cert.pem
#TLSCertificateKeyFile /etc/ldap/key.pem

# Log level
loglevel 4095

#######################################################################
# database definitions
#######################################################################
database mdb
suffix "dc=xxx,dc=yyy,dc=net"
rootdn "cn=admin,dc=xxx,dc=yyy,dc=net"
rootpw "SupeSecretSecret"
directory /etc/ldap/mdb

#index objectClass eq
overlay translucent
translucent_local carLicense

tls ldaps       tls_reqcert=allow
uri ldaps://AD1.xxx.yyy.net:636
lastmod off
acl-bind binddn="cn=BindUSer,ou=zzz,ou=Users,ou=bbb,dc=xxx,dc=yyy,dc=net" credentials="AnotherSuperSecretSecret"

Now, we are able to perform ldapsearch through the LDAP to the AD, but we have to use a bind user in the ldapsearch, like the bind user defined in the configuration are ignored.

What I’m not understanding is how I can create a Group on local LDAP DB and insert users from the remote AD.

What I missing?

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.