Step by Step Installation and Configuration of OpenLDAP as Proxy to Active Directory

This guide describes how to install and configure OpenLDAP as proxy to Active Directory.

Installation:
yum install openldap-servers openldap-clients

Sample Files:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

Set BASE and URI:
vi /etc/openldap/ldap.conf
BASE dc=mydomain,dc=com
URI ldap://localhost

Create Structure:
vi /root/mydomain.ldif
dn: dc=mydomain,dc=com
dc: mydomain
objectClass: dcObject
objectClass: organizationalUnit
ou: mydomain.com

dn: cn=openldap,dc=mydomain,dc=com
objectClass: top
objectClass: person
cn: openldap
sn: openldap
userPassword: 1111

Create Root User Password:

edit /etc/openldap/slapd.conf
change dc=”my-domain” to mydomain or your domain name
and update rootpw with the password you created in previous step

remove everything in slap.d directory and add ldif file you created
rm -rf /etc/openldap/slapd.d/*
slapadd -v -l /root/mydomain.ldif

[root@haroon openldap]# slapadd -v -l mydomain.ldif
The first database does not allow slapadd; using the first available one (2)
added: “dc=mydomain,dc=com” (00000001)
added: “cn=openldap,dc=mydomain,dc=com” (00000002)
_#################### 100.00% eta none elapsed none fast!
Closing DB…

Test:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

Set Appropriate Permissions:
chown -R ldap:ldap /etc/openldap/slapd.d/
chown -R ldap:ldap /var/lib/ldap

Enable Logging
add following line in /etc/rsyslog.conf file.
local4.* /var/log/ldap.log

Start LDAP service:
service slapd start

Test:
ldapsearch -x -H ldap://localhost

Configuring as Proxy to AD:
vi /etc/openldap/slapd.conf
add following under “database definitions”

database ldap
suffix “OU=dept,DC=domain,DC=co,DC=ae”
uri ldap://ad.domain.co.ae/
rebind-as-user
idassert-bind bindmethod=simple
binddn=”CN=open,OU=dept,DC=domain,DC=co,DC=ae”
credentials=open
mode=none
idassert-authzFrom “*”

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
service slapd restart

Test:
ldapsearch -H ldap://localhost -x -b “ou=dept,dc=domain,dc=co,dc=ae” -LLL “(cn=haroon*)”

Advertisements

12 thoughts on “Step by Step Installation and Configuration of OpenLDAP as Proxy to Active Directory

  1. Hi,
    I am trying to cache the information send by AD to Local LDAP, but having no luck.
    Any help will be appreciated.

    Thanks

    • my bad, I didn’t realized about the readability, i will try to change it to “preformatted” style as you suggested, sorry for the inconvenience caused and thanks for your feedback

  2. Did you run into any errors after adding your AD configuration? I’ve tried this on Cent5, Cent6, and ubuntu12.04 and get the same errors after the slapdtest:

    “idassert-bind “: SIMPLE needs “binddn” and “credentials”

  3. hi,
    Excellent guide and working perfectly, however it took us some time in finding out that if its not “properly” formatted in /etc/openldap/slapd.conf then it will not work.
    Next article should be on getting this working with the PBX that will enable users to get corporate directory in desk phones.

    Regards,

    Ali

  4. Pingback: CloudStack 4.1 and LDAP Authentication | shankerbalan.net

  5. slapd.conf is not used anymore, would be nice if you could update this article using the new configuratin schema since 2.3, regards.

  6. Hi congratulations, It´s a very good your explanation.
    But I have a trouble to auth the users, seems if don´t read ObjectClass atribbute or userPassword, can you help me with this?
    Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s