OpenLDAP Pass through authentication with SASL to Active Directory

blog-banner

As per the OpenLDAP 2.4 Administration guide: Since OpenLDAP 2.0 slapd has had the ability to delegate password verification to a separate process. This uses the sasl_checkpass(3) function so it can use any back-end server that Cyrus SASL supports for checking passwords. The choice is very wide, as one option is to use saslauthd(8) which in turn can use local files, Kerberos, an IMAP server, another LDAP server, or anything supported by the PAM mechanism.

A real world use case is the coexistence between OpenLDAP and Active Directory, on choice can be to let the password into AD, and configure a pass-through authentication between OpenLDAP and AD. With this setup, authentications done on the OpenLDAP will use the AD password.

By establishing pass-through authentication the following advantages could be achieved:

  • Single password policy.
  • No need to remember multiple passwords.

In our case, Active Directory will play a role of such authentication back-end.

Environment Details and Software Versions:

  • Ubuntu 12.04 LTS.
  • Windows System.
  • OpenLDAP 2.4.40.
  • Microsoft Active Directory.

Prerequisite:

  • Basic understanding of LDAP and Active Directory terms / terminology is required to understand this blog.
  • OpenLDAP and Active Directory are working properly.
  • OpenLDAP is running on Ubuntu system and Active Directory is running on Windows System.

Step-1: Install cyrus-SASL.

sudo apt-get install libsasl2-dev

Step-2: Configure OpenLDAP to work with Cyrus SASL.

Navigate to your openldap directory and then run:

./configure --enable-spasswd --with-cyrus-sasl 

Execute the following command after that:

  1. sudo make depend
  2. sudo make

Step-3: Reinstall OpenLDAP software by following command.

Note: Before installing, take the backup of your current running OpenLDAP directory.

sudo make install 

After running the above command, a new schema folder is created in your openldap directory and old schema folder is renamed as schema.xxxx in the same directory. You can compare both the folder and apply the changes as per the need.

After making both schema and schema.xxxx identical (if required), schema.xxxx can be removed.

Step-4: Install SASL using following command.

sudo apt-get install sasl2-bin 

Step-5: Open saslauthd file located in ‘/etc/default’ directory and update the following:

START=yes
MECHANISMS="ldap" 

Step-6: Add OpenLDAP service account (‘ldap’ user) to sasl group by executing following command.

sudo add user ldap sasl 

Step-7: Setup connection and search parameter to Active Directory for SASLAUTHD.

Create/Edit a file ‘/etc/saslauthd.conf’ and configure as per given below:

ldap_servers: ldap://ad-address:port_no
ldap_search_base:dc=company,dc=com
ldap_filter: sAMAccountName=%U
ldap_bind_dn: cn=saslauthd,cn=users,dc=company,dc=com
ldap_password: password007 

Step-8: Restart saslauthd and test SASL authentication part:

Restart: sudo service saslauthd restart
Test SASLAUTHD: testsaslauthd -u coudot -p password 

Step-9: Communication between OpenLDAP and SASL

  1. Create/Edit slapd.conf file in ‘/usr/lib/sasl2’ directory and add the following:
    mech_list: plain
    pwcheck_method: saslauthd
    saslauthd_path: /var/run/saslauthd/mux 
  2. Edit/Add OpenLDAP configuration (/openldap/slapd.conf) to configure SASL parameters:
    sasl-host localhost
    sasl-secprops   none 
  3. Restart OpenLDAP and SASL:
    sudo service slapd restart
    sudo service saslauthd restart 

Step-10: If below error/warning occurred when restarting ‘saslauthd’ service.

Error:
/usr/sbin/saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by /usr/sbin/saslauthd)
/usr/sbin/saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by /usr/sbin/saslauthd) 

Then, execute the following commands one by one:

sudo ln -fs /usr/local/lib/liblber-2.4.so.2 /usr/local/lib/
sudo ln -fs /usr/local/lib/libldap_r-2.4.so.2 /usr/local/lib/
 

Step-11: Test the authentication using OpenLDAP user.

Create a user in OpenLDAP and set the uid value same as the AD user’s sAMAccountName value and ‘userPassword’ field in ‘{SASL}user@domain’ format as given the below example:

dn: uid=coudot,ou=users,dc=company,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: coudot
cn: Ctox oudot
sn: oudot
userPassword: {SASL}[email protected] 

Now you can bind OpenLDAP user with AD password:

ldapsearch -x -H ldap://ldap.company.com -b dc=company,dc=com -D uid=coudot,ou=users,dc=company,dc=com -w password 
  1. SLAPD locate the object DN of uid=coudot,ou=users,dc=company,dc=com
  2. If the object with this DN has value of {SASL}[email protected] in the userPassword field, then SLAPD will pass the authentication to SASLAUTHD.
  3. SASLAUTHD will hit the AD for the object having sAMAccountName value equal to uid value (coudot).
  4. If ‘coudot’ user found in AD, SASLAUTHD attempts to authenticate against AD using the provided DN and password.
  5. If authentication is successful to AD, user will automatically get connected to OpenLDAP.

Ref. link: https://ltb-project.org/documentation/general/sasl_delegation

Contact us

For Your Business Requirements

Text to Identify Refresh CAPTCHA
Background Image Close Button

2 - 4 October 2024

Hall: 10, Booth: #B8 Brussels, Belgium