Archive for the ‘ldap’ Category

LDAP replication with syncrepl

Wednesday, July 25th, 2012

Say you want to benefit from LDAP replication so one OpenLDAP server acts as a Provider (aka Master) and another one acts as a Consumer (aka Slave).

Here is what you configure on the Provider. In my case it’s Ubuntu 10.04.2 LTS (lucid) and OpenLDAP 2.4.21. I’m using old school slapd.conf on both servers:

moduleload syncprov

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

And the Consumer part of slapd.conf. Ubuntu 12.04 LTS (precise) and OpenLDAP 2.4.28:

syncrepl rid=001
        provider=ldaps://ldaps.domain.org:636
        tls_reqcert=never
        searchbase="dc=domain,dc=org"
        filter="(objectClass=*)"
        bindmethod=simple
        binddn="cn=admin,dc=domain,dc=org"
        credentials=xxxxxxx
        retry="60 +"
        type=refreshAndPersist
        scope=sub
        attrs="*,+"
        schemachecking=off
        interval=00:00:05:00

SharePoint 2010 with OpenLDAP authentication

Wednesday, July 18th, 2012

A relevant piece from web.config that worked for me allowing SharePoint 2010 authenticate against OpenLDAP. OpenLDAP is powered by Ubuntu 10.04.2 LTS (lucid) and OpenLDAP 2.4.21 (installed from packages).


  
  
  

Three points to mention:

1. As you can see I’m using SSL — make sure to import your certificates through mmc.

2. agentname is allowed to search ‘ou=People,dc=domain,dc=org’. In ACL language:

 access to dn.subtree="ou=People,dc=domain,dc=org"
    by dn.regex="cn=(.*),ou=Agents,dc=domain,dc=org" read
    by * none

3. I had to enable ‘allow bind_v2’ in slapd.conf to allow agentname to query OpenLDAP, otherwise I was getting ‘historical protocol version requested, use LDAPv3 instead‘.

All in all it was a hell of an exercise!

LDAP authentication with Squid

Wednesday, December 14th, 2011

A snippet from squid.conf allowing LDAP authentication from Mon-Fri business hours. Done on Ubuntu 10.04.2 (lucid) and Squid 2.7.STABLE7.

# Configure LDAP auth helper
auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b "ou=Int,ou=People,dc=domain,dc=org" -u "uid" -h ldaps.domain.org

acl int-lan src 192.168.11.0/24
acl daytime time M T W H F 08:30-12:30
acl evening time M T W H F 13:30-17:30

http_access allow ldapauth int-lan daytime evening

LDAP authentication with Apache

Monday, January 10th, 2011

A snippet from httpd.conf allowing LDAP authentication. Done on Ubuntu.

AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Secure Area"
Require valid-user
AuthLDAPBindDN "cn=username,ou=People,dc=domain,dc=org"
AuthLDAPBindPassword XXXXXXXX
AuthzLDAPAuthoritative off
AuthLDAPCompareDNOnServer On
AuthLDAPURL ldaps://ldaps.domain.org/ou=Internal,ou=People,dc=domain,dc=org?uid