Difference between revisions of "LDAP Proxy"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
# DOCS
 +
- https://github.com/GluuFederation/cluster-mgr/issues/25
 +
- https://linoxide.com/linux-how-to/configure-ad-authentication-ldap-proxy-tls-ssl/
 +
- https://www.openldap.org/doc/admin24/guide.html
 +
- https://man7.org/linux/man-pages/man5/slapd-meta.5.html
 +
- https://gist.github.com/tuxfight3r/565dc060d2d5837f7349be9c0a1ea61b proxy only no cache
 +
- https://docs.microfocus.com/itom/Service_Management_Automation_-_SM:2018.05/configure_ldap_proxy
 +
 +
# Doesn't Work
 +
- https://stackoverflow.com/questions/33608276/openldap-as-a-proxy-cache-only-no-local-database
 +
 
# OpenLDAP Proxy
 
# OpenLDAP Proxy
 +
- https://www.pixelstech.net/article/1509263631-OpenLDAP-Proxy----slapd-conf
 
- https://doc.owncloud.com/server/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html
 
- https://doc.owncloud.com/server/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html
 +
- https://memoriaferroviaria.rosana.unesp.br/pmf2/owncloud/core/doc/admin/configuration/ldap/ldap_proxy_cache_server_setup.html
 +
- https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
 
- https://pypi.org/project/python-ldap-test/
 
- https://pypi.org/project/python-ldap-test/
 +
- https://github.com/twisted/ldaptor
 +
- https://ldaptor.readthedocs.io/en/latest/cookbook/ldap-proxy.html
 +
- https://www.programcreek.com/python/example/107948/ldap3.Connection
 +
 +
# File Examples
 +
 +
testcache.sh
 +
```
 +
export LDAPTLS_REQCERT=never
 +
userdn="CN=myuser,OU=Domain Users,DC=example,DC=com"
 +
userpass="XXXXX"
 +
ldaphost="127.0.0.1"
 +
 +
ldapsearch -h ${ldaphost} -x -w "${userpass}" -D "${userdn}" -b "${basedn}" "(&(sn=Busk*)(givenName=Jeremy))" mail telephoneNumber givenName
 +
```
 +
 +
/etc/ldap/slapd.conf
 +
```
 +
include        /etc/ldap/schema/core.schema
 +
include        /etc/ldap/schema/cosine.schema
 +
include        /etc/ldap/schema/nis.schema
 +
include        /etc/ldap/schema/inetorgperson.schema
 +
pidfile        /var/run/slapd/slapd.pid
 +
argsfile        /var/run/slapd/slapd.args
 +
loglevel        none
 +
modulepath      /usr/lib/ldap
 +
moduleload      back_ldap.la
 +
moduleload      back_hdb.la
 +
moduleload      rwm
 +
moduleload      pcache.la
 +
moduleload memberof.la
 +
sizelimit 500
 +
tool-threads 1
 +
backend        ldap
 +
database                ldap
 +
readonly        yes
 +
protocol-version  3
 +
rebind-as-user
 +
norefs  yes
 +
chase-referrals no
 +
 +
 +
uri "ldap://ldap.example.com:389"
 +
suffix          "dc=example,dc=com"
 +
rootdn          "cn=dc=example,dc=com"
 +
 +
 +
 +
overlay pcache
 +
pcache hdb 100000 3 1000 100
 +
pcachePersist TRUE
 +
directory      "/var/lib/ldap"
 +
pcacheAttrset  0 mail postaladdress telephonenumber givenName
 +
pcacheTemplate (&(sn=)(givenName=)) 0 3600
 +
pcacheTemplate (sn=) 0 3600
 +
pcacheTemplate (&(sn=)(givenName=)) 0 3600
 +
pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600
 +
 +
cachesize 20
 +
index      objectClass eq
 +
index      cn,sn,uid,mail  pres,eq,sub
 +
```
 +
 +
/etc/default/slapd
 +
```
 +
SLAPD_CONF=/etc/ldap/slapd.conf
 +
```
 +
 +
### Test and Start
 +
```
 +
slaptest -v -f /etc/ldap/slapd.conf
 +
sudo systemctl restart slapd
 +
```
 +
 +
pcap - notice that only auth credentials are passed for second query as matched query response is cached for your TTL that is set (1 hour)
 +
```
 +
ngrep -d eth0 port 389
 +
```

Latest revision as of 04:55, 2 September 2020

DOCS

Doesn't Work

OpenLDAP Proxy

File Examples

testcache.sh 

export LDAPTLS_REQCERT=never
userdn="CN=myuser,OU=Domain Users,DC=example,DC=com"
userpass="XXXXX"
ldaphost="127.0.0.1"

ldapsearch -h ${ldaphost} -x -w "${userpass}" -D "${userdn}" -b "${basedn}" "(&(sn=Busk*)(givenName=Jeremy))" mail telephoneNumber givenName

/etc/ldap/slapd.conf 

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath      /usr/lib/ldap
moduleload      back_ldap.la
moduleload      back_hdb.la
moduleload      rwm
moduleload      pcache.la
moduleload memberof.la
sizelimit 500
tool-threads 1
backend         ldap
database                ldap
readonly        yes
protocol-version  3
rebind-as-user
norefs  yes
chase-referrals no


uri "ldap://ldap.example.com:389"
suffix          "dc=example,dc=com"
rootdn          "cn=dc=example,dc=com"



overlay pcache
pcache hdb 100000 3 1000 100
pcachePersist TRUE
directory       "/var/lib/ldap"
pcacheAttrset  0 mail postaladdress telephonenumber givenName
pcacheTemplate (&(sn=)(givenName=)) 0 3600
pcacheTemplate (sn=) 0 3600
pcacheTemplate (&(sn=)(givenName=)) 0 3600
pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600

cachesize 20
index       objectClass eq
index       cn,sn,uid,mail  pres,eq,sub

/etc/default/slapd 

SLAPD_CONF=/etc/ldap/slapd.conf

Test and Start

slaptest -v -f /etc/ldap/slapd.conf
sudo systemctl restart slapd

pcap - notice that only auth credentials are passed for second query as matched query response is cached for your TTL that is set (1 hour) 

ngrep -d eth0 port 389
Retrieved from "https://tech.uvoo.io/index.php?title=LDAP_Proxy&oldid=838"