We used cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. What For?

« Back to Blogs

OpenLDAP Pass through authentication with SASL to Active Directory

As per the OpenLDAP 2.4 Administration guide: Since OpenLDAP 2.0 slapd has had the ability to delegate password verification to a separate process. This uses the sasl_checkpass(3) function so it can use any back-end server that Cyrus SASL supports for checking passwords. The choice is very wide, as one option is to use saslauthd(8) which in turn can use local files, Kerberos, an IMAP server, another LDAP server, or anything supported by the PAM mechanism.

 

A real world use case is the coexistence between OpenLDAP and Active Directory, on choice can be to let the password into AD, and configure a pass-through authentication between OpenLDAP and AD. With this setup, authentications done on the OpenLDAP will use the AD password.

 

By establishing pass-through authentication the following advantages could be achieved:

  • Single password policy.

  • No need to remember multiple passwords.

 

In our case, Active Directory will play a role of such authentication back-end.

 

Environment Details and Software Versions:
 

  • Ubuntu 12.04 LTS.

  • Windows System.

  • OpenLDAP 2.4.40.

  • Microsoft Active Directory.

 

Prerequisite:
 

  • Basic understanding of LDAP and Active Directory terms / terminology is required to understand this blog.

  • OpenLDAP and Active Directory are working properly.

  • OpenLDAP is running on Ubuntu system and Active Directory is running on Windows System.



Step-1: Install cyrus-SASL.

sudo apt-get install libsasl2-dev

 

Step-2: Configure OpenLDAP to work with Cyrus SASL.

Navigate to your openldap directory and then run:

./configure --enable-spasswd --with-cyrus-sasl

Execute the following command after that:

  1. sudo make depend

  2. sudo make

 

Step-3: Reinstall OpenLDAP software by following command.

Note: Before installing, take the backup of your current running OpenLDAP directory.

sudo make install

 

After running the above command, a new schema folder is created in your openldap directory and old schema folder is renamed as schema.xxxx in the same directory. You can compare both the folder and apply the changes as per the need.

After making both schema and schema.xxxx identical (if required), schema.xxxx can be removed.

Step-4: Install SASL using following command.

sudo apt-get install sasl2-bin

 

Step-5: Open saslauthd file located in ‘/etc/default’ directory and update the following:

START=yes

MECHANISMS="ldap"

 

Step-6: Add OpenLDAP service account (‘ldap’ user) to sasl group by executing following command.

sudo add user ldap sasl

 

Step-7: Setup connection and search parameter to Active Directory for SASLAUTHD.

Create/Edit a file ‘/etc/saslauthd.conf’ and configure as per given below:

ldap_servers: ldap://ad-address:port_no

ldap_search_base:dc=company,dc=com

ldap_filter: sAMAccountName=%U

ldap_bind_dn: cn=saslauthd,cn=users,dc=company,dc=com

ldap_password: password007

 

Step-8: Restart saslauthd and test SASL authentication part:

Restart: sudo service saslauthd restart

Test SASLAUTHD: testsaslauthd -u coudot -p password

 

Step-9: Communication between OpenLDAP and SASL.

 

  1. Create/Edit slapd.conf file in ‘/usr/lib/sasl2’ directory and add the following:
     

mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

 

2. Edit/Add OpenLDAP configuration (/openldap/slapd.conf) to configure SASL parameters:

sasl-host       localhost

sasl-secprops   none

 

3. Restart OpenLDAP and SASL:

sudo service slapd restart

sudo service saslauthd restart

 

Step-10: If below error/warning occurred when restarting ‘saslauthd’ service.

Error:
/usr/sbin/saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by /usr/sbin/saslauthd)
/usr/sbin/saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by /usr/sbin/saslauthd)

 

Then, execute the following commands one by one:

sudo ln -fs /usr/local/lib/liblber-2.4.so.2 /usr/local/lib/

sudo ln -fs /usr/local/lib/libldap_r-2.4.so.2 /usr/local/lib/

 

Step-11: Test the authentication using OpenLDAP user.
 

Create a user in OpenLDAP and set the uid value same as the AD user’s sAMAccountName value and userPassword’ field in ‘{SASL}user@domain’ format as given the below example:

dn: uid=coudot,ou=users,dc=company,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: coudot
cn: Ctox oudot
sn: oudot
userPassword: {SASL}[email protected]

 

Now you can bind OpenLDAP user with AD password:

ldapsearch -x -H ldap://ldap.company.com -b dc=company,dc=com -D uid=coudot,ou=users,dc=company,dc=com -w password

 

  1. SLAPD locate the object DN of uid=coudot,ou=users,dc=company,dc=com

  2. If the object with this DN has value of {SASL}[email protected] in the userPassword field, then SLAPD will pass the authentication to SASLAUTHD.

  3. SASLAUTHD will hit the AD for the object having sAMAccountName value equal to uid value (coudot).

  4. If ‘coudot user found in AD, SASLAUTHD attempts to authenticate against AD using the provided DN and password.

  5. If authentication is successful to AD, user will automatically get connected to OpenLDAP.

 

Ref. link: https://ltb-project.org/documentation/general/sasl_delegation

contact-us Request a callback WhatsApp