OpenLDAP Pass through authentication with SASL to Active Directory - ST 2024
OpenLDAP Pass through authentication with SASL to Active Directory
As per the OpenLDAP 2.4 Administration guide: Since OpenLDAP 2.0 slapd has had the ability to delegate password verification to a separate process. This uses the sasl_checkpass(3) function so it can use any back-end server that Cyrus SASL supports for checking passwords. The choice is very wide, as one option is to use saslauthd(8) which in turn can use local files, Kerberos, an IMAP server, another LDAP server, or anything supported by the PAM mechanism.
A real world use case is the coexistence between OpenLDAP and Active Directory, on choice can be to let the password into AD, and configure a pass-through authentication between OpenLDAP and AD. With this setup, authentications done on the OpenLDAP will use the AD password.
By establishing pass-through authentication the following advantages could be achieved:
- Single password policy.
- No need to remember multiple passwords.
In our case, Active Directory will play a role of such authentication back-end.
Environment Details and Software Versions:
- Ubuntu 12.04 LTS.
- Windows System.
- OpenLDAP 2.4.40.
- Microsoft Active Directory.
Prerequisite:
- Basic understanding of LDAP and Active Directory terms / terminology is required to understand this blog.
- OpenLDAP and Active Directory are working properly.
- OpenLDAP is running on Ubuntu system and Active Directory is running on Windows System.
Step-1: Install cyrus-SASL.
sudo apt-get install libsasl2-dev
Step-2: Configure OpenLDAP to work with Cyrus SASL.
Navigate to your openldap directory and then run:
./configure --enable-spasswd --with-cyrus-sasl
Execute the following command after that:
- sudo make depend
- sudo make
Step-3: Reinstall OpenLDAP software by following command.
Note: Before installing, take the backup of your current running OpenLDAP directory.
sudo make install
After running the above command, a new schema folder is created in your openldap directory and old schema folder is renamed as schema.xxxx in the same directory. You can compare both the folder and apply the changes as per the need.
After making both schema and schema.xxxx identical (if required), schema.xxxx can be removed.
Step-4: Install SASL using following command.
sudo apt-get install sasl2-bin
Step-5: Open saslauthd file located in ‘/etc/default’ directory and update the following:
START=yes MECHANISMS="ldap"
Step-6: Add OpenLDAP service account (‘ldap’ user) to sasl group by executing following command.
sudo add user ldap sasl
Step-7: Setup connection and search parameter to Active Directory for SASLAUTHD.
Create/Edit a file ‘/etc/saslauthd.conf’ and configure as per given below:
ldap_servers: ldap://ad-address:port_no ldap_search_base:dc=company,dc=com ldap_filter: sAMAccountName=%U ldap_bind_dn: cn=saslauthd,cn=users,dc=company,dc=com ldap_password: password007
Step-8: Restart saslauthd and test SASL authentication part:
Restart: sudo service saslauthd restart Test SASLAUTHD: testsaslauthd -u coudot -p password
Step-9: Communication between OpenLDAP and SASL
- Create/Edit slapd.conf file in ‘/usr/lib/sasl2’ directory and add the following:
mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
- Edit/Add OpenLDAP configuration (/openldap/slapd.conf) to configure SASL parameters:
sasl-host localhost sasl-secprops none
- Restart OpenLDAP and SASL:
sudo service slapd restart sudo service saslauthd restart
Step-10: If below error/warning occurred when restarting ‘saslauthd’ service.
Error: /usr/sbin/saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by /usr/sbin/saslauthd) /usr/sbin/saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by /usr/sbin/saslauthd)
Then, execute the following commands one by one:
sudo ln -fs /usr/local/lib/liblber-2.4.so.2 /usr/local/lib/ sudo ln -fs /usr/local/lib/libldap_r-2.4.so.2 /usr/local/lib/
Step-11: Test the authentication using OpenLDAP user.
Create a user in OpenLDAP and set the uid value same as the AD user’s sAMAccountName value and ‘userPassword’ field in ‘{SASL}user@domain’ format as given the below example:
dn: uid=coudot,ou=users,dc=company,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top uid: coudot cn: Ctox oudot sn: oudot userPassword: {SASL}[email protected]
Now you can bind OpenLDAP user with AD password:
ldapsearch -x -H ldap://ldap.company.com -b dc=company,dc=com -D uid=coudot,ou=users,dc=company,dc=com -w password
- SLAPD locate the object DN of uid=coudot,ou=users,dc=company,dc=com
- If the object with this DN has value of {SASL}[email protected] in the userPassword field, then SLAPD will pass the authentication to SASLAUTHD.
- SASLAUTHD will hit the AD for the object having sAMAccountName value equal to uid value (coudot).
- If ‘coudot’ user found in AD, SASLAUTHD attempts to authenticate against AD using the provided DN and password.
- If authentication is successful to AD, user will automatically get connected to OpenLDAP.
Ref. link: https://ltb-project.org/documentation/general/sasl_delegation
For Your Business Requirements
2 - 4 October 2024
Hall: 10, Booth: #B8 Brussels, Belgium