Posts Tagged ‘ldap’

LDAP replication with syncrepl

Wednesday, July 25th, 2012

Say you want to benefit from LDAP replication so one OpenLDAP server acts as a Provider (aka Master) and another one acts as a Consumer (aka Slave).

Here is what you configure on the Provider. In my case it’s Ubuntu 10.04.2 LTS (lucid) and OpenLDAP 2.4.21. I’m using old school slapd.conf on both servers:

  1. moduleload syncprov
  2.  
  3. overlay syncprov
  4. syncprov-checkpoint 100 10
  5. syncprov-sessionlog 100

And the Consumer part of slapd.conf. Ubuntu 12.04 LTS (precise) and OpenLDAP 2.4.28:

  1. syncrepl rid=001
  2.         provider=ldaps://ldaps.domain.org:636
  3.         tls_reqcert=never
  4.         searchbase="dc=domain,dc=org"
  5.         filter="(objectClass=*)"
  6.         bindmethod=simple
  7.         binddn="cn=admin,dc=domain,dc=org"
  8.         credentials=xxxxxxx
  9.         retry="60 +"
  10.         type=refreshAndPersist
  11.         scope=sub
  12.         attrs="*,+"
  13.         schemachecking=off
  14.         interval=00:00:05:00

SharePoint 2010 with OpenLDAP authentication

Wednesday, July 18th, 2012

A relevant piece from web.config that worked for me allowing SharePoint 2010 authenticate against OpenLDAP. OpenLDAP is powered by Ubuntu 10.04.2 LTS (lucid) and OpenLDAP 2.4.21 (installed from packages).

  1. <membership>
  2.   <providers>
  3.   <add name="membership"
  4.     type="Microsoft.Office.Server.Security.LDAPMembershipProvider,Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,PublicKeyToken=71e9bce111e9429c"
  5.     server="ldaps.domain.org"
  6.     port="636"
  7.     useSSL="true"
  8.     connectionUsername="cn=agentname,ou=Agents,dc=domain,dc=org"
  9.     connectionPassword= "xxxxxxxxx"
  10.     useDNAttribute="false"
  11.     userNameAttribute="uid"
  12.     userContainer="ou=People,dc=domain,dc=org"
  13.     userObjectClass="person"
  14.     userFilter="(objectClass=person)"
  15.     scope="Subtree"
  16.     otherRequiredUserAttributes="uid,cn" />
  17.   </providers>
  18. </membership>

Three points to mention:

1. As you can see I’m using SSL — make sure to import your certificates through mmc.

2. agentname is allowed to search ‘ou=People,dc=domain,dc=org’. In ACL language:

  1.  access to dn.subtree="ou=People,dc=domain,dc=org"
  2.     by dn.regex="cn=(.*),ou=Agents,dc=domain,dc=org" read
  3.     by * none

3. I had to enable ‘allow bind_v2’ in slapd.conf to allow agentname to query OpenLDAP, otherwise I was getting ‘historical protocol version requested, use LDAPv3 instead‘.

All in all it was a hell of an exercise!

LDAP authentication with Squid

Wednesday, December 14th, 2011

A snippet from squid.conf allowing LDAP authentication from Mon-Fri business hours. Done on Ubuntu 10.04.2 (lucid) and Squid 2.7.STABLE7.

  1. # Configure LDAP auth helper
  2. auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b "ou=Int,ou=People,dc=domain,dc=org" -u "uid" -h ldaps.domain.org
  3.  
  4. acl int-lan src 192.168.11.0/24
  5. acl daytime time M T W H F 08:30-12:30
  6. acl evening time M T W H F 13:30-17:30
  7.  
  8. http_access allow ldapauth int-lan daytime evening

LDAP authentication with Apache

Monday, January 10th, 2011

A snippet from httpd.conf allowing LDAP authentication. Done on Ubuntu.

  1. AuthType Basic
  2. AuthBasicProvider ldap
  3. AuthName "LDAP Secure Area"
  4. Require valid-user
  5. AuthLDAPBindDN "cn=username,ou=People,dc=domain,dc=org"
  6. AuthLDAPBindPassword XXXXXXXX
  7. AuthzLDAPAuthoritative off
  8. AuthLDAPCompareDNOnServer On
  9. AuthLDAPURL ldaps://ldaps.domain.org/ou=Internal,ou=People,dc=domain,dc=org?uid