Integrate Active Directory and OpenLDAP

To solve this problem, you could write your own LDAP clients (e.g., using Perl’s Net::LDAP), use another vendor’s toolset, or bypass this issue entirely and use Open- LDAP’s proxy service. I’ll show you the third option.

Using OpenLDAP as a Proxy
OpenLDAP can provide a proxy for connections to AD on behalf of a client. Simply put, OpenLDAP will work with AD for you whenever necessary. The benefit of this approach is that you don’t have to rely on the behavior of the LDAP client—the server, OpenLDAP, will be configured to chase referrals for you so that you don’t have to depend on client behavior, which may or may not work as you want.

With an OpenLDAP proxy, all operations are routed through slapd, even though some need to be performed within AD. For routing through slapd to work, you configure slapd-ldap, the proxy back end for the slapd daemon. You could use other back ends such as slapd-meta, which provides even more features such as naming context rewriting, but slapd-ldap is the simplest to configure during initial testing.

Let’s add a slapd-ldap configuration to slapd.conf. Listing 3 shows the code. In it, you can see several changes:

database ldap. We have defined a new back end by using slapd-ldap, which will be our proxy service.

subordinate. Without this keyword, slapd searches only the database specified by the search base (e.g., if dc=testcorp,dc=com were the specified search base, then cn=users,dc=testcorp,dc=com would never be examined because it’s a different slapd database).

rebind-as-user. This option tells slapd to bind to the remote DSA with the credentials supplied by the client; the credentials must be valid in AD.

Uri. This specifies the remote LDAP server, which in this case is the AD DC. Notice that we aren’t using SSL here—in the real world, you would configure SSL for security.

chase-referrals. This option specifies that slapd will chase any referrals automatically.

What’s interesting is that AD is using the same suffix of dc=testcorp, dc=com as Open- LDAP. Often both UNIX and AD administrators bring up a directory service with the same standard suffix (i.e., naming context), and only later do they find that they need to provide for better integration.

Now, restart slapd and run ldapsearch again:

# ldapsearch -x -h localhost
 -LLL -b dc=testcorp,dc=com -D cn=dpuryear,cn=users,
 dc=testcorp,dc=com -W ‘(cn=dpuryear)’ cn
Enter LDAP Password:

In this example, the ldapsearch command searches against cn = users, dc = testcorp, dc=com, which slapd should map to CN=Users in AD. And slapd does map it, as you can see by the output below:

dn: CN=dpuryear,CN=Users,DC=t
 estcorp,DC=com
cn: dpuryear

which shows the entry CN=dpuryear, CN=Users, DC=testcorp, DC=com— the account for dpuryear in the AD CN=Users container. slapd now knows that any operation against cn=users,dc=testcorp,dc=com (which is our superior in the directory tree), actually requires these steps:

Open an LDAP connection to ldap:// dc1.testcorp.com/.
Bind with the credentials supplied by the client.
Perform the operation.
Return the results to the client.

But there’s a problem: We don’t have access to all of the data in AD. To see what I mean, try to return the attribute sAMAccountName, which is specific to the AD schema. When I type

# ldapsearch -x -h localhost -LLL -b
 dc=testcorp,dc=com -D cn=dpuryear,cn=users,dc=testcorp,
 dc=com -W ‘(cn=dpuryear)’ cn sAMAccountName
Enter LDAP Password:

slapd returns only attributes defined in the schema known to OpenLDAP and nothing more:

dn: CN=dpuryear,CN=Users,DC=testcorp,D
 C=com
cn: dpuryear

Notice that sAMAccountName is not shown, even though it exists in AD and was requested in our ldapsearch command. To access all of the data in AD, you need to install the most recent version of OpenLDAP, OpenLDAP 2.3, which can transparently pass unknown schema, albeit with some minor syntax rules applied so that it can perform filtering.

Using OpenLDAP 2.3 to Pass Unknown Schema
You can install OpenLDAP 2.3 either by compiling the source, or, far easier, by installing it from RPM Package Manager (RPM). After installation, the only configuration change required is to modify pidfile and argsfile because the newer OpenLDAP RPM assumes a different location for those files. Listing 4 shows the code for this.

Now, restart slapd and try ldapsearch again—first using the “cn” in your filter

# ldapsearch -x -h localhost -LLL -b
 dc=testcorp,dc=com -D cn=dpuryear,cn=users,dc=testcorp,
 dc=com -W ‘(cn=dpuryear)’ cn sAMAccountName
Enter LDAP Password:

and then the AD-only sAMAccountName:

# ldapsearch -x -h localhost -LLL -b
 dc=testcorp,dc=com -D cn=dpuryear,cn=users,dc=testcorp,
 dc=com -W ‘(sAMAccountName=dpuryear)’ cn
 sAMAccountName
Enter LDAP Password:

Success! As you can see from the following output, ldapsearch queried slapd, which in turn queried AD for us:

dn: cn=dpuryear,cn=Users,dc=testcorp,
 dc=com
cn: dpuryear

SAMACCOUNTNAME: dpuryear

The key difference here is that we now have access to the complete AD schema, including sAMAccountName.

Seamless Access to AD
You should now be able to attach AD to any part of your OpenLDAP directory. You can authenticate your AD users in LDAP applications that use OpenLDAP or even provide access to multiple ADs in your network if they aren’t all part of a larger forest already.

End of Article

Previous 1 [2] Next

I loved the subject of this article. We're currently going through an auditing process and integration of our LINUX accounts with AD would go along way in streamlining the way we demonstrate compliance.

I would love to see more articles like this that integrate Windows with other OS's.

With that in mind the name of this magazine is "WINDOWS IT Pro". While I'd like to think I can navigate a 'nix system pretty well your article leaves a lot of gaps in the low-level processes. Navigation of the web site for the CentOS rpm alone yields several pages of possible downloads with seemingly few distinctions made between them.

The sidebars too could be bolstered with details like instructions for downloading the file and transferring it to the unix system (i.e. with an smb mountpoint) and flags for installing the rpm packages (rpm -i filename.rpm).

Perhaps I represent the minority, but I'm reading this from a WINDOWS administrator perspective. I realize that simple Linux navigation (like the necessity of "su" 'ing after initial login) is arguably too detailed for inclusion, but the article left a lot of details to be desired.

I suppose the argument could be made that if one doesn't know how to log into a Linux system one shouldn't be integrating it with one's enterprise directory. However at a minimum any article proposing this integration should probably narrow down the field of possible downloads available out on (http://dev.centos.org/centos/4/testing/i386/RPMS/) for fear of endorsing the wrong one.

Thanks for a great article, but please don’t spare us the details.

Tallarico May 14, 2008 (Article Rating:

)

Also - the "printer friendly" version cuts off in the middle of words. This wouldn't be specific to this article, however.

Hopefully this comment will only post once. :D

Tallarico May 14, 2008 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.