The idea is to ask OpenLDAP to delegate the authentication using the SASL protocol. Then the
Before we begin, let’s ensure we are good with the terminology used in this document and its definition.
LDAP vs Active Directory vs OpenLDAP?
OpenLDAP – OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.
Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment
LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, OpenLDAP, which supports a form of LDAP.
In Precise:
– AD is a directory services database in a Windows environment.
– OpenLDAP is again a directory services database in a Linux environment.
– LDAP is one of the protocols you can use to talk to it.
SASL
Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another.
Pass-Through authentication is a mechanism used by some LDAP directories to delegate authentication operations (BIND) to other backbends.
Pass-Through authentication is purely transparent for LDAP clients, as they send standard authentication operations to the LDAP directory, which will then handle the delegation and forward the response to the client, as the authentication was done locally.
Fig: 1.1 – Password is stored in a AD and OpenLDAP directories delegate authentication to it.
In Our use case, we will be adding the actual user profile in our locally installed (on CentOS 7) OpenLDAP server without any passwords. Then we will be configuring a pass-through authentication between OpenLDAP and AD using saslauth demon. So that whenever an authentication request sent to OpenLDAP server, it will ask the Active Directory to validate the password stored in its database.
This documentation assumes that you already know about configuring OpenLDAP and Active Directory.
Ref:- To Install and configure OpenLDAP on CentOS – https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html
Step 1: connection to the backend
You need to get all connection parameters to the authentication backend. An example with Active Directory:
- Server address: ldap://ad.hellovinoth.com (or) ldap://10.14.48.48
- Bind DN: CN=Administrator,CN=Users,DC=hellovinoth,DC=com
- Bind Password: ADpassword
- Users branch: CN=DomainUsers,DC=hellovinoth,DC=com
For our environment, we can check these settings with an ldapsearch:
ldapsearch -x -LLL -H ldap://10.14.48.48 -D "IN\cloud.ADM" -w 'Hellovinoth@231' -b "DC=in,DC=hellovinoth,DC=com" "(&(objectclass=user)([email protected]))"
The output we will be getting in response confirms the successful connection establishment with our AD.
Step 2: Define the LDAP access parameters
Add below entries in /etc/saslauthd.conf:
ldap_servers: ldap://10.14.48.48
ldap_search_base: DC=in,DC=hellovinoth,DC=com
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: IN\cloud.ADM
ldap_password: Hellovinoth@231
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
Step 3: Saslauthd setup
Install the cyrus SASL daemon and its LDAP plugin:
# yum install cyrus-sasl cyrus-sasl-ldap
check wheather your SASL daemon supports LDAP:
# saslauthd -v
If not, reinstall an LDAP aware saslauthd daemon.
Step 4: Activate LDAP as SASL mechanism
Edit the /etc/
SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS="-O /etc/saslauthd.conf"
Now, Start saslauthd:
# chkconfig saslauthd on
# service saslauthd restart
Step 5: Configure the communication between OpenLDAP and saslauthd
Update the /usr/lib64/sasl2/slapd.conf file to instruct OpenLDAP, how to connect to the SASL daemon. The communication between the two daemons are done through a mutex, configured like this:
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
Step 6: Add OpenLDAP user to sasl group (adapt names to your distribution settings):
usermod -a -G saslauth ldap
Step 7: OpenLDAP configuration
Edit/Add OpenLDAP configuration file /etc/openldap/slapd.conf to configure the SASL parameters:
sasl-host localhost
sasl-secprops none
Restart OpenLDAP:
# service slapd restart
Step 8: Test SASL authentication:
You can test the SASL part with this command:
# testsaslauthd -u cloud.ADM -p Hellovinoth@231
Step 9: Create an account in OpenLDAP:
Create a ldif file for new user creation:
dn: uid=<User Name Here>,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: <User Name Here>
uid: <User Name Here>
uidNumber: <UID_here>
gidNumber: 100
homeDirectory: /home/<User Name Here>
loginShell: /bin/bash
gecos: <User Name Here> [Admin (at) my-domain]
userPassword: {SASL}<User email ID Here>
Use the ldapadd command with the above file to create a new user in OpenLDAP directory.
ldapadd -x -W -D "cn=ldapadm,dc=my-domain,dc=com" -f Vinoth.Selvaraj_9998.ldif
Sample .ldif file for your reference:
dn: uid=vinoth.selvaraj,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: vinoth.selvaraj
uid: vinoth.selvaraj
uidNumber: 9998
gidNumber: 100
homeDirectory: /home/vinoth.selvaraj
loginShell: /bin/bash
gecos: Vinoth.selvaraj [Admin (at) my-domain]
userPassword: {SASL}[email protected]
Congratulate Yourself!
Now, login to your CentOS server using your Active Directory credentials.
Reference Link below:
https://gauvain.pocentek.net/docs/openldap-delegate-auth/
https://ltb-project.org/documentation/general/sasl_delegation
Cheers,
Vinoth Kumar Selvaraj
07/Feb/2019
hello
Nice Tutorial, thank you
This biendng over sasl on an other ldap is working, well.
however, how to do with the SAMBapsswd field to be able to use a samba file server as client of the ldap?
Hello
Good work!
The configuration works well with saslauthd
However what about using a samba server on the same LDAP ?
(i.e. The field sambapasswd ?)
Thanks for your help
Hello Vinoth,
Thanks for sharing this !!
I guess you are very busy to answer this question:
In the /etc/saslauthd.conf file , could the ldap_passwd parameter be hashed?
I tried with slappasswd linux command but then Active Directory complains.
Thanks again,
Luis ( from Spain )