Executive Summary: OpenLDAP’s proxy service can allow LDAP operations to cross the boundaries between AD and OpenLDAP deployments. To demonstrate this proxy service, we walk through the steps to make AD’s cn=Users container, which by default contains all user objects, part of an OpenLDAP directory. To produce the examples in this article, I used CentOS 4.3, OpenLDAP 2.2.13, and AD running on Windows Server 2003 R2. Later in the article, I’ll show you a limitation in the commonly deployed OpenLDAP 2.2, which you can solve by installing OpenLDAP 2.3 on CentOS 4.3.

Solutions Snapshot Problem: You can’t access Active Directory (AD) Schema via OpenLDAP. Solution: Use OpenLDAP’s proxy service to connect to AD. What You Need: CentOS; OpenLDAP; AD running on Windows Server 2003 R2 difficulty:3.5 SOLUTION steps: 1. Start slapd. 2. Configure slapd-ldap; restart slapd and run ldapsearch. 3. Install OpenLDAP 2.3. 4. Modify pidfile and argsfile. 5. Restart slapd and run ldapsearch again.

Both Active Directory (AD) and Open- LDAP play important roles in the enterprise. In fact, within the same company you’ll find the UNIX group using OpenLDAP and the LAN and Windows administrators using AD. However, most people are unable to fully access the AD schema via OpenLDAP.

OpenLDAP and AD can peacefully coexist— the key is finding the best way to allow LDAP operations to cross the boundaries between AD and OpenLDAP deployments. One way to make that happen is to use Open- LDAP’s proxy service. To demonstrate this proxy service, I’ll walk you through the steps to make AD’s cn=Users container, which by default contains all user objects, part of an OpenLDAP directory.

Terms and Versions
Before moving on, let’s define terminology. First, an LDAP server is actually what is known as a Directory Service Agent (DSA). Second, a DSA manages either part or all of a Directory Information Tree (DIT). Several DSAs may be deployed to manage an entire DIT as well as to allow for replication and high availability. The portion of the DIT that a DSA manages is known either as a partition or database. I use the term database.

To produce the examples in this article, I used CentOS 4.3, OpenLDAP 2.2.13, and AD running on Windows Server 2003 R2. Later in the article, I’ll show you a limitation in the commonly deployed OpenLDAP 2.2, which you can solve by installing OpenLDAP 2.3 on CentOS 4.3.(For CentOS 4.3, I use the RPMS found at dev.centos.org/centos/4/testing/ i386/RPMS/.) See the sidebar “Upgrading OpenLDAP on CentOS,” for installation instructions.

Starting the OpenLDAP Server Process
The OpenLDAP server process is named slapd, which stands for “stand-alone LDAP daemon.” It provides almost all of the Open- LDAP server functionality, including the ability to accept connections from LDAP clients, process queries and updates, and implement the ACLs that restrict access to confidential information within the directory. Notably, in OpenLDAP, replication is handled by another process entirely and is beyond the scope of this article.

Let’s start off with a sample slapd configuration that brings up a basic DIT with no ACLs or any other special capabilities. On the OpenLDAP server, configuration starts with the slapd.conf file shown in Listing 1. In this configuration, slapd manages a database for the directory tree dc=testcorp,dc=com.

To start slapd, type the following:

# service ldap start

and load the initial entries into the database.

To load the entries, first enter the information from Listing 2 into a file named dir. ldif. These entries will define a very simple tree which has a suffix (aka root) of dc=testcorp, dc=com and two branches that are ou=People and ou=Groups. Now, load the entries using ldapadd:

 # ldapadd -x -h localhost -D cn=manager,dc=testcorp,
dc=com -W -f dir.ldif
Enter LDAP Password: <value-of-rootpw>
adding new entry “dc=testcorp,dc=com”
adding new entry “ou=People,
 dc=testcorp,dc=com”
adding new entry “ou=Groups,
  dc=testcorp,dc=com”

The –x option specifies that ldapadd should use simple authentication instead of Simple Authentication and Security Layer (SASL). With simple authentication, the LDAP client (in this case, ldapadd) sends the credentials in plaintext. Even if you use LDAP over SSL (LDAPS) or LDAP StartTLS, you’re still using simple authentication, but the tunnel being used for communication is encrypted (and far more secure).

We can test that our entries loaded properly by using ldapsearch

# ldapsearch -LLL -x -h localhost -b ‘dc=testcorp,dc=com’

which performs a query to find all entries below the root of the tree. Figure 1, page 48, shows the results. As expected, ldapsearch returns the three entries that we originally imported via ldapadd. We are now ready to begin working with referrals.

A Caveat to Using Referrals
You saw how easy it is to view entries that OpenLDAP manages by using a simple ldapsearch command on our client—but what about viewing entries that AD manages? For that to happen, you need to direct either the LDAP client or the LDAP server (i.e., OpenLDAP) to AD.

An obvious choice is to use referrals, which is a way for a DSA to forward—or refer—an LDAP request to another DSA. However, while referrals are both powerful and flexible (both for managers and application developers), keep in mind an important caveat: How a client handles a referral is entirely dependent on implementation. For example, OpenLDAP’s ldapsearch can chase referrals when used with the -C option, but only anonymously—ldapsearch doesn’t try to authenticate against the second DSA.

If you did create a referral in OpenLDAP to AD, ldapsearch (as well as other OpenLDAP binaries such as ldapadd) would return output containing the following: “In order to perform this operation a successful bind must be completed on the connection.” This statement simply means that ldapsearch chased the referral to a domain controller (DC) and the operation was rejected because ldapsearch didn’t try to authenticate.

Continue to Page 2

To solve this problem, you could write your own LDAP clients (e.g., using Perl’s Net::LDAP), use another vendor’s toolset, or bypass this issue entirely and use Open- LDAP’s proxy service. I’ll show you the third option.

Using OpenLDAP as a Proxy
OpenLDAP can provide a proxy for connections to AD on behalf of a client. Simply put, OpenLDAP will work with AD for you whenever necessary. The benefit of this approach is that you don’t have to rely on the behavior of the LDAP client—the server, OpenLDAP, will be configured to chase referrals for you so that you don’t have to depend on client behavior, which may or may not work as you want.

With an OpenLDAP proxy, all operations are routed through slapd, even though some need to be performed within AD. For routing through slapd to work, you configure slapd-ldap, the proxy back end for the slapd daemon. You could use other back ends such as slapd-meta, which provides even more features such as naming context rewriting, but slapd-ldap is the simplest to configure during initial testing.

Let’s add a slapd-ldap configuration to slapd.conf. Listing 3 shows the code. In it, you can see several changes:

database ldap. We have defined a new back end by using slapd-ldap, which will be our proxy service.

subordinate. Without this keyword, slapd searches only the database specified by the search base (e.g., if dc=testcorp,dc=com were the specified search base, then cn=users,dc=testcorp,dc=com would never be examined because it’s a different slapd database).

rebind-as-user. This option tells slapd to bind to the remote DSA with the credentials supplied by the client; the credentials must be valid in AD.

Uri. This specifies the remote LDAP server, which in this case is the AD DC. Notice that we aren’t using SSL here—in the real world, you would configure SSL for security.

chase-referrals. This option specifies that slapd will chase any referrals automatically.

What’s interesting is that AD is using the same suffix of dc=testcorp, dc=com as Open- LDAP. Often both UNIX and AD administrators bring up a directory service with the same standard suffix (i.e., naming context), and only later do they find that they need to provide for better integration.

Now, restart slapd and run ldapsearch again:

# ldapsearch -x -h localhost
 -LLL -b dc=testcorp,dc=com -D cn=dpuryear,cn=users,
 dc=testcorp,dc=com -W ‘(cn=dpuryear)’ cn
Enter LDAP Password:

In this example, the ldapsearch command searches against cn = users, dc = testcorp, dc=com, which slapd should map to CN=Users in AD. And slapd does map it, as you can see by the output below:

dn: CN=dpuryear,CN=Users,DC=t
 estcorp,DC=com
cn: dpuryear

which shows the entry CN=dpuryear, CN=Users, DC=testcorp, DC=com— the account for dpuryear in the AD CN=Users container. slapd now knows that any operation against cn=users,dc=testcorp,dc=com (which is our superior in the directory tree), actually requires these steps:

1. Open an LDAP connection to ldap:// dc1.testcorp.com/.
2. Bind with the credentials supplied by the client.
3. Perform the operation.
4. Return the results to the client.

But there’s a problem: We don’t have access to all of the data in AD. To see what I mean, try to return the attribute sAMAccountName, which is specific to the AD schema. When I type

# ldapsearch -x -h localhost -LLL -b
 dc=testcorp,dc=com -D cn=dpuryear,cn=users,dc=testcorp,
 dc=com -W ‘(cn=dpuryear)’ cn sAMAccountName
Enter LDAP Password:

slapd returns only attributes defined in the schema known to OpenLDAP and nothing more:

dn: CN=dpuryear,CN=Users,DC=testcorp,D
 C=com
cn: dpuryear

Notice that sAMAccountName is not shown, even though it exists in AD and was requested in our ldapsearch command. To access all of the data in AD, you need to install the most recent version of OpenLDAP, OpenLDAP 2.3, which can transparently pass unknown schema, albeit with some minor syntax rules applied so that it can perform filtering.

Using OpenLDAP 2.3 to Pass Unknown Schema
You can install OpenLDAP 2.3 either by compiling the source, or, far easier, by installing it from RPM Package Manager (RPM). After installation, the only configuration change required is to modify pidfile and argsfile because the newer OpenLDAP RPM assumes a different location for those files. Listing 4 shows the code for this.

Now, restart slapd and try ldapsearch again—first using the “cn” in your filter

# ldapsearch -x -h localhost -LLL -b
 dc=testcorp,dc=com -D cn=dpuryear,cn=users,dc=testcorp,
 dc=com -W ‘(cn=dpuryear)’ cn sAMAccountName
Enter LDAP Password:

and then the AD-only sAMAccountName:

# ldapsearch -x -h localhost -LLL -b
 dc=testcorp,dc=com -D cn=dpuryear,cn=users,dc=testcorp,
 dc=com -W ‘(sAMAccountName=dpuryear)’ cn
 sAMAccountName
Enter LDAP Password:

Success! As you can see from the following output, ldapsearch queried slapd, which in turn queried AD for us:

dn: cn=dpuryear,cn=Users,dc=testcorp,
 dc=com
cn: dpuryear

SAMACCOUNTNAME: dpuryear

The key difference here is that we now have access to the complete AD schema, including sAMAccountName.

Seamless Access to AD
You should now be able to attach AD to any part of your OpenLDAP directory. You can authenticate your AD users in LDAP applications that use OpenLDAP or even provide access to multiple ADs in your network if they aren’t all part of a larger forest already.

Reader Comments

I loved the subject of this article. We're currently going through an auditing process and integration of our LINUX accounts with AD would go along way in streamlining the way we demonstrate compliance. I would love to see more articles like this that integrate Windows with other OS's. With that in mind the name of this magazine is "WINDOWS IT Pro". While I'd like to think I can navigate a 'nix system pretty well your article leaves a lot of gaps in the low-level processes. Navigation of the web site for the CentOS rpm alone yields several pages of possible downloads with seemingly few distinctions made between them. The sidebars too could be bolstered with details like instructions for downloading the file and transferring it to the unix system (i.e. with an smb mountpoint) and flags for installing the rpm packages (rpm -i filename.rpm). Perhaps I represent the minority, but I'm reading this from a WINDOWS administrator perspective. I realize that simple Linux navigation (like the necessity of "su" 'ing after initial login) is arguably too detailed for inclusion, but the article left a lot of details to be desired. I suppose the argument could be made that if one doesn't know how to log into a Linux system one shouldn't be integrating it with one's enterprise directory. However at a minimum any article proposing this integration should probably narrow down the field of possible downloads available out on (http://dev.centos.org/centos/4/testing/i386/RPMS/) for fear of endorsing the wrong one. Thanks for a great article, but please don’t spare us the details.

I loved the subject of this article. We're currently going through an auditing process and integration of our LINUX accounts with AD would go along way in streamlining the way we demonstrate compliance. I would love to see more articles like this that integrate Windows with other OS's. With that in mind the name of this magazine is "WINDOWS IT Pro". While I'd like to think I can navigate a 'nix system pretty well your article leaves a lot of gaps in the low-level processes. Navigation of the web site for the CentOS rpm alone yields several pages of possible downloads with seemingly few distinctions made between them. The sidebars too could be bolstered with details like instructions for downloading the file and transferring it to the unix system (i.e. with an smb mountpoint) and flags for installing the rpm packages (rpm -i filename.rpm). Perhaps I represent the minority, but I'm reading this from a WINDOWS administrator perspective. I realize that simple Linux navigation (like the necessity of "su" 'ing after initial login) is arguably too detailed for inclusion, but the article left a lot of details to be desired. I suppose the argument could be made that if one doesn't know how to log into a Linux system one shouldn't be integrating it with one's enterprise directory. However at a minimum any article proposing this integration should probably narrow down the field of possible downloads available out on (http://dev.centos.org/centos/4/testing/i386/RPMS/) for fear of endorsing the wrong one. Thanks for a great article, but please don’t spare us the details.

Also - the "printer friendly" version cuts off in the middle of words. This wouldn't be specific to this article, however. Hopefully this comment will only post once. :D