Remoteauth for AD Replication
Created by Jason Trupp, last modified on Sep 24, 2015
For UNIX users, set MANPATH location and open SLAPO-REMOTEAUTH manual
export MANPATH=/opt/symas/share/man; man slapo-remoteauth
slapo-remoteauth - Delegate authentication requests to remote directories, e.g., Active Directory
The remoteauth overlay to slapd(8) provides passthrough authentication to remote directory servers, e.g., Active Directory, for LDAP simple bind operations. The local LDAP entry referenced in the bind operation is mapped to its countepart in the remote directory. An LDAP bind operation is performed against the remote directory, and results are returned based on those of the remote operation.
A slapd server configured with the remoteauth overlay handles an authentication request based on whether the authenticating entry contains the userPassword attribute. If the authenticating entry does not contain the userPassword attribute, the slapd server performs the authentication request to the remote directory server. On the other hand, authentcation is performed locally, if the authenticating entry contains the userPassword attribute.
The following options can be applied to the remoteauth overlay within the slapd.conf file. All options should follow the overlay remoteauth directive.
This directive adds the remoteauth overlay to the current data base, see slapd.conf(5) for details.
Attribute in entry that is used to store the bind DN to a remote directory server. For Active Directory, this should map to the userPrincipalName attribute.
remoteauth_mapping <domain> <hostname|file:///path/to/list_of_hostnames>
For a non-Windows deployment, a domain can be considered as a collection of one or more hosts to which slapd server authenticates against on behalf of authenticating users. For a given domain name, the mapping specifies the target server(s), e.g., Active Directory domain controller(s), to connect to via LDAP. The second argument can be given either as a hostname, or a file containing a list of hostnames, one per line. The hostnames are tried in sequence until the connection succeeds.
This option can be provided more than once to provide mapping information for different domains. For example,
remoteauth_mapping americas <file:///path/to/americas.domain.hosts> remoteauth_mapping emea <file:///path/to/emea.domain.hosts> remoteauth_mapping asiapacific <file:///path/to/asiapacific.domain.hosts>
Attribute in entry that specifies the domain name. For Windows, the ntUserDomainID attrbiute can be used, because any text after “\” or “:” is ignored.
remoteauth_default_domain <default domain>
Fallback server to connect to for domains not specified in remoteauth_mapping
Hashed trusted CA directory. Defaults to OpenLDAP configuration.
remoteauth_cacert_file <CA cert>
Trusted CAs in PEM format. Defaults to OpenLDAP configuration.
Enable/disable validation of remote server certificate. Default is on.
Number of connection retries attempted. Default is 3.
A typical example configuration of remoteauth overlay for AD is shown below:
Add the following to slapd.conf(5)
database <database> #… overlay remoteauth remoteauth_dn_attribute seeAlso remoteauth_domain_attribute dc remoteauth_default_realm americas.example.com remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas remoteauth_mapping emea emeadc1.emea.example.com remoteauth_cacert_file /home/ldap/etc/example-ca.pem
where seeAlso contains the AD bind DN for the user, dc contains the Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which anything following, including “:”, is ignored.