Delegate OpenLDAP authentication to AD on CentOS

Goal and mechanisms

The goal is to use OpenLDAP for Unix users, but without managing a password synchronization between this LDAP server and an Active Directory server.

The idea is to ask OpenLDAP to delegate authentication using the SASL protocol. The SASL daemon performs the authentication on the AD server using the LDAP protocol.

This documentation assumes that you already know about configuring OpenLDAP and Active Directory.

Configuration of the server

In this example :

  • AD side:
    • server name: ad.pocentek.net
    • domain (realm): pocentek.net
    • auth user: sasl
    • actual user: ad_user
  • OpenLDAP side:
    • suffix: dc=pocentek,dc=net
    • user: uid=ldap_user,ou=People,dc=pocentek,dc=net

Saslauthd setup

  1. Install the cyrus SASL daemon and its LDAP plugin:

    # yum install cyrus-sasl cyrus-sasl-ldap
    
  2. Edit the /etc/sysconfig/saslauthd file to enable LDAP mechanism and add the -r switch to the daemon:

    SOCKETDIR=/var/run/saslauthd
    MECH=ldap
    FLAGS="-r"
    
  3. Define the LDAP access parameters in /etc/saslauthd.conf:

    ldap_servers: ldap://ad.pocentek.net
    ldap_search_base: dc=pocentek,dc=net
    ldap_filter: (userPrincipalName=%u)
    ldap_bind_dn: cn=sasl,cn=users,dc=pocentek,dc=net
    ldap_password: secret
    
  4. Start the daemon:

    # chkconfig saslauthd on
    # service saslauthd start
    

Saslauthd test

Test the AD user authentication with a correct and an erroneous password:

$ testsaslauthd -u ad_user@pocentek.net -p real_password
$ testsaslauthd -u ad_user@pocentek.net -p wrong_password

OpenLDAP setup

  1. Update the /usr/lib64/sasl2/slapd.conf file to instruct OpenLDAP how to connect to the SASL daemon:

  2. Restart the LDAP server

  3. Modify the LDAP userPassword attribute for the user to:

    userPassword: {SASL}ad_user@pocentek.net
    

Use ldapwhoami to validate the correct behavior:

ldapwhoami -x -D "uid=ldap_user,ou=People,dc=pocentek,dc=net" -w ad_password