Pass-through OpenLDAP Authentication (Using SASL) to Active Directory on Centos

The idea is to ask OpenLDAP to delegate the authentication using the SASL protocol. Then the saslauth daemon performs the authentication on the Active Directory server using the LDAP protocol.

Before we begin, let’s ensure we are good with the terminology used in this document and its definition.

LDAP vs Active Directory vs OpenLDAP?

OpenLDAP – OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.

Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment

LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, OpenLDAP, which supports a form of LDAP.

In Precise:
– AD is a directory services database in a Windows environment.
– OpenLDAP is again a directory services database in a Linux environment.
– LDAP is one of the protocols you can use to talk to it.

SASL
Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another.

Pass-Through authentication is a mechanism used by some LDAP directories to delegate authentication operations (BIND) to other backbends.

Pass-Through authentication is purely transparent for LDAP clients, as they send standard authentication operations to the LDAP directory, which will then handle the delegation and forward the response to the client, as the authentication was done locally.

Fig: 1.1 – Password is stored in a AD and  OpenLDAP directories delegate authentication to it.

In Our use case, we will be adding the actual user profile in our locally installed (on CentOS 7) OpenLDAP server without any passwords. Then we will be configuring a pass-through authentication between OpenLDAP and AD using saslauth demon. So that whenever an authentication request sent to OpenLDAP server, it will ask the Active Directory to validate the password stored in its database.

This documentation assumes that you already know about configuring OpenLDAP and Active Directory.

Ref:- To Install and configure OpenLDAP on CentOS – https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html

Step 1: connection to the backend

You need to get all connection parameters to the authentication backend. An example with Active Directory:

  • Server address: ldap://ad.hellovinoth.com (or) ldap://10.14.48.48
  • Bind DN: CN=Administrator,CN=Users,DC=hellovinoth,DC=com
  • Bind Password: ADpassword
  • Users branch: CN=DomainUsers,DC=hellovinoth,DC=com

For our environment, we can check these settings with an ldapsearch:

ldapsearch -x -LLL -H ldap://10.14.48.48 -D "IN\cloud.ADM" -w '[email protected]' -b "DC=in,DC=hellovinoth,DC=com" "(&(objectclass=user)([email protected]))"

The output we will be getting in response confirms the successful connection establishment with our AD.

Step 2: Define the LDAP access parameters

Add below entries in /etc/saslauthd.conf:

 ldap_servers: ldap://10.14.48.48
ldap_search_base: DC=in,DC=hellovinoth,DC=com
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: IN\cloud.ADM
ldap_password: [email protected]
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

Step 3: Saslauthd setup

Install the cyrus SASL daemon and its LDAP plugin:

# yum install cyrus-sasl
cyrus-sasl-ldap

check wheather your SASL daemon supports LDAP:

# saslauthd -v

If not, reinstall an LDAP aware saslauthd daemon.

Step 4: Activate LDAP as SASL mechanism

Edit the /etc/sysconfig/saslauthd file to enable LDAP mechanism and add the -r switch to the daemon:

 SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS="-O /etc/saslauthd.conf"

Now, Start saslauthd:

# chkconfig saslauthd on
# service saslauthd restart

Step 5: Configure the communication between OpenLDAP and saslauthd

Update the /usr/lib64/sasl2/slapd.conf file to instruct OpenLDAP, how to connect to the SASL daemon. The communication between the two daemons are done through a mutex, configured like this:

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

Step 6: Add OpenLDAP user to sasl group (adapt names to your distribution settings):

usermod -a -G saslauth
ldap

Step 7: OpenLDAP configuration

Edit/Add OpenLDAP configuration file  /etc/openldap/slapd.conf to configure the SASL parameters:

sasl-host       localhost
sasl-secprops   none

Restart OpenLDAP:

# service slapd restart

Step 8: Test SASL authentication:

You can test the SASL part with this command:

# testsaslauthd -u cloud.ADM -p [email protected]

Step 9: Create an account in OpenLDAP:

Create a ldif file for new user creation:

 dn: uid=<User Name Here>,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: <User Name Here>
uid: <User Name Here>
uidNumber: <UID_here>
gidNumber: 100
homeDirectory: /home/<User Name Here>
loginShell: /bin/bash
gecos: <User Name Here> [Admin (at) my-domain]
userPassword: {SASL}<User email ID Here>

Use the ldapadd command with the above file to create a new user in OpenLDAP directory.

ldapadd -x -W -D
"cn=ldapadm,dc=my-domain,dc=com" -f Vinoth.Selvaraj_9998.ldif

Sample .ldif file for your reference:

dn: uid=vinoth.selvaraj,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: vinoth.selvaraj
uid: vinoth.selvaraj
uidNumber: 9998
gidNumber: 100
homeDirectory: /home/vinoth.selvaraj
loginShell: /bin/bash
gecos: Vinoth.selvaraj [Admin (at) my-domain]
userPassword: {SASL}[email protected]

Congratulate Yourself!

Now, login to your CentOS server using your Active Directory credentials.

Reference Link below:

https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html

https://gauvain.pocentek.net/docs/openldap-delegate-auth/

https://ltb-project.org/documentation/general/sasl_delegation

https://blogs.msdn.microsoft.com/alextch/2012/04/25/configuring-openldap-pass-through-authentication-to-active-directory/


Cheers,
Vinoth Kumar Selvaraj
07/Feb/2019

Leave a Comment