Active-Directory

使用元數據庫後端結合活動目錄數據庫和 openldap 本地數據庫

  • July 19, 2021

我正在嘗試使用 openldap 元後端在單個查詢中完成以下操作:

  1. 查詢該帳戶的本地 openldap 數據庫。(我控制這個資源,這裡只會儲存幾個帳戶。)
  2. 如果在本地找不到帳戶,則接下來查詢活動目錄(我無法創建帳戶)

使用者只能在其中之一中找到,但不能同時在兩者中找到。

我嘗試按照許多教程來完成此操作,但沒有一個與我的確切情況相匹配,我無法將它們中的任何一個調整為工作順序。

為了測試,我創建了一個簡單的 LDIF 後端來允許匿名綁定:

   database   ldif
   suffix     "ou=local,dc=proxy,dc=ldap"
   directory  "/var/lib/ldap/"

我的元配置如下:

   database             meta
   suffix               "dc=example,dc=com"

   uri                  "ldaps://ad.my.edu/ou=org-1,dc=example,dc=com"
   suffixmassage        "dc=org-1,dc=example,dc=com" "ou=axxxx,dc=sxxxx,dc=xxx,dc=xx,dc=xxx"
   idassert-authzFrom   "dn:*"
   idassert-bind        bindmethod=simple
                binddn="cn=XXXX,ou=it,ou=services,ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx"
                credentials="XXXX"
                mode=none

   overlay              rwm
   rwm-map              attribute uid sAMAccountName
   rwm-map              objectClass posixAccount person

   uri                  "ldap://127.0.0.1/ou=org-2,dc=example,dc=com"
   suffixmassage        "ou=org-2,dc=example,dc=com" "ou=local,dc=proxy,dc=ldap"

這是我從命令行搜尋的結果:

   ldapsearch -x -H 'ldap://127.0.0.1' -b dc=example,dc=com -s sub '(sAMAccountNAme=xxxxxx*)' -LLL

   slapd[1949]: conn=1014 op=2 UNBIND
   slapd[1949]: conn=1014 fd=9 closed
   slapd[1949]: conn=1015 fd=9 ACCEPT from IP=127.0.0.1:59624 (IP=127.0.0.1:389)
   slapd[1949]: conn=1015 op=0 BIND dn="" method=128
   slapd[1949]: conn=1015 op=0 RESULT tag=97 err=0 text=
   slapd[1949]: conn=1015 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(?sAMAccountName=xxxxxxxx*)"
   slapd[1949]: conn=1015 op=1 meta_search_dobind_init[0]: retrying URI="ldaps://ad.my.edu" DN="cn=xxxx,ou=it,ou=services,ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx"
   slapd[1949]: conn=1002 op=9 SRCH base="ou=local,dc=proxy,dc=ldap" scope=2 deref=0 filter="(?sAMAccountName=xxxxxxx*)"
   slapd[1949]: conn=1002 op=9 SEARCH RESULT tag=101 err=32 nentries=0 text=
   slapd[1949]: conn=1015 op=1 meta_back_search[1] match="" err=32 (No such object) text="".
   slapd[1949]: conn=1015 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
   ldapsearch[2054]: DIGEST-MD5 common mech free
   slapd[1949]: conn=1015 op=2 UNBIND
   slapd[1949]: conn=1015 fd=9 closed

我已經取得了一些進展。如果在本地找不到使用者資訊,我現在可以從 Active Directory 檢索使用者資訊,但不能重新綁定為使用者以完成身份驗證。

我收到“代理操作重試失敗”錯誤:

   slapd[22555]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:35848 (IP=127.0.0.1:389)
   slapd[22555]: conn=1001 fd=9 ACCEPT from IP=127.0.0.1:35850 (IP=127.0.0.1:389)
   slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" method=128
   slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
   slapd[22555]: conn=1000 op=0 RESULT tag=97 err=0 text=
   slapd[22555]: conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=xxxxxx)"
   slapd[22555]: conn=1002 fd=11 ACCEPT from IP=127.0.0.1:35852 (IP=127.0.0.1:389)
   slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" method=128
   slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
   slapd[22555]: conn=1002 op=0 RESULT tag=97 err=0 text=
   slapd[22555]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:35854 (IP=127.0.0.1:389)
   slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" method=128
   slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
   slapd[22555]: conn=1003 op=0 RESULT tag=97 err=0 text=
   slapd[22555]: conn=1002 op=1 SRCH base="ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" scope=2 deref=0 filter="(uid=xxxxxx)"
   slapd[22555]: conn=1003 op=1 SRCH base="ou=local" scope=2 deref=0 filter="(uid=xxxxxx)"
   slapd[22555]: conn=1003 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
   slapd[22555]: conn=1000 op=1 meta_back_search[1] match="" err=32 (No such object) text="".
   slapd[22555]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
   slapd[22555]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
   slapd[22555]: conn=1001 op=0 BIND dn="cn=xxxxxx,ou=xxxx,dc=a,dc=example,dc=com" method=128
   slapd[22555]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:35858 (IP=127.0.0.1:389)
   slapd[22555]: conn=1004 op=0 BIND dn="cn=xxxxxx,ou=General,ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx" method=128
   slapd[22555]: conn=1004 op=0 ldap_back_retry: retrying URI="ldaps://active.directory" DN=""
   slapd[22555]: conn=1004 op=0 RESULT tag=97 err=52 text=Proxy operation retry failed
   slapd[22555]: conn=1004 op=1 UNBIND
   slapd[22555]: conn=1001 op=0 RESULT tag=97 err=52 text=
   slapd[22555]: conn=1004 fd=16 closed

這是我修改後的元配置:

   database meta
   suffix dc=example,dc=com
   # The last rwm-map line maps all other attributes to nothing.
   overlay rwm
   rwm-map attribute uid sAMAccountname
   rwm-map attribute *
   #rwm-map objectclass posixGroup group
   #rwm-map objectclass posixAccount person
   #rwm-map objectclass memberUid member

   ##
   uri "ldap://127.0.0.1/dc=a,dc=example,dc=com"
   suffixmassage "dc=a,dc=example,dc=com" "ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx"
   rebind-as-user true
   idassert-bind
     bindmethod=simple
     binddn="cn=XXXX,ou=local"
     credentials=XXXX
     mode=none
   idassert-authzFrom "dn.regex:.*"

   ##
   uri "ldap://127.0.0.1/dc=b,dc=example,dc=com"
   suffixmassage "dc=b,dc=example,dc=com" "ou=local"
   rebind-as-user true
   idassert-bind
     bindmethod=simple
     binddn="cn=XXXX,ou=local"
     credentials=XXXX
     mode=none
   idassert-authzFrom "dn.regex:.*"

   ##
   database ldap
   uri ldaps://active.directory
   suffix ou=xxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx
   rebind-as-user true
   idassert-bind
     bindmethod=simple
     binddn="cn=XXXX,ou=xxxx,ou=sxxxx,ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx"
     credentials=XXXX
     tls_reqcert=allow
     tls_cacert=/etc/letsencrypt/live/xxxx/fullchain.pem
     tls_cert=/etc/letsencrypt/live/xxxx/cert.pem
     tls_key=/etc/letsencrypt/live/xxxx/privkey.pem
     mode=none
   idassert-authzFrom "dn.regex:.*"

我已經搜尋了這個解決方案大約一個月,在看到與我的問題直接相關的 openldap 執行緒中的範例配置後,終於在 slapd 手冊頁中偶然發現了答案。

我的解決方案的關鍵是 ldap 後端的 idassert-bind 標誌部分。我添加了

   flags=override

從 slapd 手冊頁:

   Flags can be

   override,[non-]prescriptive,proxy-authz-[non-]critical

   When the override flag is used, identity assertion takes place even
   when the database is authorizing for the identity of the client, i.e.
   after binding with the provided identity, and thus authenticating it,
   the proxy performs the identity assertion using the configured dentity
   and authentication method.


Final working Backend LDAP configuration:

database meta
suffix dc=example,dc=com

##
uri "ldaps://127.0.0.1/dc=a,dc=example,dc=com"
suffixmassage "dc=a,dc=example,dc=com" "ou=local"
rebind-as-user yes
idassert-bind 
  bindmethod=simple 
  binddn="cn=admin,ou=local" 
  credentials=XXXXXXXX 
  starttls=yes 
  tls_reqcert=allow 
  tls_cacert=/etc/letsencrypt/live/my.site.com/fullchain.pem 
  tls_cert=/etc/letsencrypt/live/my.site.com/cert.pem 
  tls_key=/etc/letsencrypt/live/my.site.com/privkey.pem 
  mode=none
idassert-authzFrom "dn.regex:.*"

##
uri "ldaps://127.0.0.1/dc=b,dc=example,dc=com"
suffixmassage "dc=b,dc=example,dc=com" "ou=axxxx,dc=sxxxx,dc=nxx,dc=xx,dc=xxx"
rebind-as-user yes
idassert-bind 
  bindmethod=simple 
  binddn="cn=admin,ou=local" 
  credentials=XXXXXXXX 
  starttls=yes 
  tls_reqcert=allow 
  tls_cacert=/etc/letsencrypt/live/my.site.com/fullchain.pem 
  tls_cert=/etc/letsencrypt/live/my.site.com/cert.pem 
  tls_key=/etc/letsencrypt/live/my.site.com/privkey.pem mode=none
  mode=none
idassert-authzFrom "dn.regex:.*"

##
database ldap
uri ldaps://ldaps.my.site.com/
suffix "OU=AXXXX,DC=sxxxx,DC=nxx,DC=xx,DC=xxx"
rebind-as-user yes
chase-referrals yes
readonly yes
idassert-bind
  bindmethod=simple
  binddn="CN=IXXXX,OU=IX,OU=SXXXX,OU=AXXXX,DC=sxxxx,DC=nxx,DC=xx,DC=xxx"
  credentials=XXXXXXXX
  flags=override
  mode=none
idassert-authzFrom "dn.regex:.*"

# The last rwm-map line maps all other attributes to nothing.
overlay rwm
rwm-map attribute uid sAMAccountname
rwm-map attribute cn cn
rwm-map attribute sn sn
rwm-map attribute givenName givenName
rwm-map attribute employeeID employeeID
rwm-map attribute employeeNumber employeeNumber
rwm-map attribute uidNumber uidNumber
rwm-map attribute gidNumber gidNumber
rwm-map attribute mail mail
rwm-map attribute departmentNumber departmentNumber
rwm-map attribute department department
rwm-map attribute home extensionAttribute12
rwm-map attribute *

引用自:https://serverfault.com/questions/883452