Rocky9 OpenLDAP Proxy for AD
Jump to navigation
Jump to search
Contents
1 General
OpenLDAP Proxy to present read only view to AD
1.1 Prerequisites
- Install AD Server
- Install Rocky9 minimal for LDAP Proxy
1.2 Install OpenLDAP Proxy
dnf -y install epel-release dnf -y install openldap-servers openldap-clients ldapvi
1.3 base configuration
1.4 Configure Proxy
- /etc/sysconfig/slapd
# OpenLDAP server configuration # see 'man slapd' for additional information # Where the server will run (-h option) # - ldapi:/// is required for on-the-fly configuration using client tools # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" # Any custom options SLAPD_OPTIONS="-f/etc/openldap/slapd.conf"
cp -av /lib/systemd/system/slapd.service /etc/systemd/system/slapd.service
- /etc/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
ExecStartPre=/usr/libexec/openldap/check-config.sh
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} ${SLAPD_OPTIONS}
LimitMEMLOCK=infinity
LimitNOFILE=20480
Restart=on-failure
RestartSec=3
[Install]
WantedBy=multi-user.target
Alias=openldap.service
- /etc/openldap/slapd.conf
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm
# Main settings ###############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
### Database definition (Proxy to AD) #########################################
disallow bind_anon
database ldap
readonly yes
protocol-version 3
rebind-as-user
# Prod
uri "ldap://10.1.2.2:389"
uri "ldap://10.1.2.1:389"
TLSCertificateKeyFile /etc/ssl/certs/domain.local/star.key
TLSCertificateFile /etc/ssl/certs/domain.local/star.crt
TLSCACertificateFile /etc/ssl/certs/domain.local/star-ca.crt
lastmod off
chase-referrals no
suffix "DC=DOMAIN,DC=LOCAL"
### Logging ###################################################################
# loglevel trace
# loglevel -1
### Access Rules ##############################################################
### "AD Proxy" can Read all, others can only auth (bind)
access to dn.subtree="DC=DOMAIN,DC=LOCAL"
by dn.exact="CN=AD Proxy,CN=Users,DC=DOMAIN,DC=LOCAL" read
by * none
### Authenticated users can read in AD (rebind) but not write
# access to *
# by * read
restorecon -FRv /etc firewall-cmd --add-port=636/tcp --permanent systemctl restart firewalld systemctl enable slapd systemctl restart slapd systemctl status slapd lsof -i -P -n
1.5 Test Access
ldapvi -h localhost -b 'OU="DC=DOMAIN,DC=LOCAL' -D 'CN=AD Proxy,CN=Users,DC=DOMAIN,DC=LOCAL' -w xxxxxx '(&(cn=homer*))'
