OpenLDAP as proxy
by lqoreader from LinuxQuestions.org on (#4TTK0)
Hi OpenLDAP Pros!
Trying to implement an OpenLDAP cluster, I already managed to set up the two backend LDAP servers in mirroring mode.
The application (iRedMail) using the LDAP service is running on the same systems as the LDAP servers. This applications needs the LDAP configuration in the former slapd.conf manner and not in the CONFIG-DB way. So I added the mirroring parameters to the slapd.conf file. The file looks like this on the first backend node:
Code:include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/calentry.schema
include /etc/openldap/schema/calresource.schema
include /etc/openldap/schema/amavisd-new.schema
include /etc/openldap/schema/iredmail.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# The syncprov overlay
moduleload syncprov.la
disallow bind_anon
require LDAPv3
loglevel 0
access to attrs="userPassword,mailForwardingAddress,employeeNumber"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to attrs="cn,sn,gn,givenName,telephoneNumber"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber,domainPendingAliasName"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to attrs="mail,accountStatus,domainStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress,memberOfGroup,member,uniqueMember,storageBaseDirectory,homeDirectory,mailMessageStore,mailingListID"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to dn="cn=vmail,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to dn="cn=vmailadmin,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to dn.regex="domainName=([^,]+),o=domains,dc=myCompany,dc=de$"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=myCompany,dc=de$" write
by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=myCompany,dc=de$" read
by users none
access to dn.subtree="o=domains,dc=myCompany,dc=de"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to dn.subtree="o=domainAdmins,dc=myCompany,dc=de"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to dn.regex="cn=[^,]+,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to *
by anonymous auth
by self write
by users read
database monitor
access to dn="cn=monitor"
by dn.exact="cn=Manager,dc=myCompany,dc=de" read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by * none
database mdb
suffix dc=myCompany,dc=de
directory /var/lib/ldap/myCompany.de
rootdn cn=Manager,dc=myCompany,dc=de
rootpw {SSHA}V5/UQXm9SmzRGjKK2zAKB79eFSaysc2wG9tPIg==
sizelimit unlimited
maxsize 2147483648
checkpoint 128 3
mode 0700
index objectclass,entryCSN,entryUUID eq
index uidNumber,gidNumber,uid,memberUid,loginShell eq,pres
index homeDirectory,mailMessageStore eq,pres
index ou,cn,mail,surname,givenname,telephoneNumber,displayName eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index shadowLastChange eq,pres
index member,uniqueMember eq,pres
index domainName,mtaTransport,accountStatus,enabledService,disabledService eq,pres,sub
index domainAliasName eq,pres,sub
index domainMaxUserNumber eq,pres
index domainAdmin,domainGlobalAdmin,domainBackupMX eq,pres,sub
index domainSenderBccAddress,domainRecipientBccAddress eq,pres,sub
index accessPolicy,hasMember,listAllowedUser,mailingListID eq,pres,sub
index mailForwardingAddress,shadowAddress eq,pres,sub
index backupMailAddress,memberOfGroup eq,pres,sub
index userRecipientBccAddress,userSenderBccAddress eq,pres,sub
index mobile,departmentNumber eq,pres,sub
#Mirror Mode
serverID 001
# Consumer
syncrepl rid=001 \
provider=ldap://rm2.myCompany.de \
bindmethod=simple \
binddn="cn=vmail,dc=myCompany,dc=de" \
credentials="gtV9FwILIcp8Zw8YtGeB1AC9GbGfti" \
searchbase="dc=myCompany,dc=de" \
attrs="*,+" \
type=refreshAndPersist \
interval=00:00:01:00 \
retry="60 +"
# Provider
overlay syncprov
syncprov-checkpoint 50 1
syncprov-sessionlog 50
mirrormode onThere are only two differences in the second node's config file:
Code:[...]
#Mirror Mode
serverID 002
[...]
# Consumer
[...]
provider=ldap://rm2.myCompany.de \
[...]As mentioned before the mirroring works perfectly.
Now I need a single connection address for the LDAP clients, i.e. web applications using LDAP as authentication mechanism.
I read that you can use an OpenLDAP proxy for that purpose. The LDAP client (here: web application) connects to the LDAP proxy and the proxy will retrieve the authentication data from multiple backend LDAP servers.
I set up an OpenLDAP proxy, it uses CONFIG-DB, not the ancient way. The slapd.conf file looks like this:
Code:include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload back_ldap.la
loglevel 0
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldap://rm1.myCompany.de:389"
suffix "dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=myCompany,dc=de"First issue:
Creating the CONFIG-DB using slaptest, the command fails, claiming:
Code:5dc44107 /etc/openldap/slapd.conf: line 48: suffix already served by this backend!.
slaptest: bad configuration directory!The slaptest command looks like this:
Code:slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/It is possible that I didn't understand completely the concept, because all guides I found are using subdomain prefixes for the different LDAP backend servers, i.e. instead of:
Code:uri "ldap://rm1.myCompany.de:389"
suffix "dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=myCompany,dc=de"they use:
Code:uri "ldap://rm1.myCompany.de:389"
suffix "dc=ou1,dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=ou2,dc=myCompany,dc=de"What I didn't understand: On the backend servers there is no ou1 and ou2 respectively. How can they expect to find anything in the backend LDAPs if the DNs do not match?
I temporarily commented the second uri in order to check if, apart from this issue, LDAP queries to the LDAP proxy succeed, but ran into the second issue.
Second issue:
If I run an ldapsearch against directly to the two backend LDAP servers (one after the other), all of the LDAP users will be enumerated.
If I run the same ldapsearch against the LDAP proxy, only the user "vmail" will be enumerated. I think that the same users should be listed as in the direct query.
This is the ldapsearch command:
Code:ldapsearch -D "cn=vmail,dc=myCompany,dc=de" -w gtV9FwILIcp8Zw8YtGeB1AC9GbGfti -p 389 -h 192.168.0.92 -b "dc=myCompany,dc=de" -s sub "(objectclass=person)"Did I miss sth.?
Thank you for your considerations!
Best regards,
Florian
Trying to implement an OpenLDAP cluster, I already managed to set up the two backend LDAP servers in mirroring mode.
The application (iRedMail) using the LDAP service is running on the same systems as the LDAP servers. This applications needs the LDAP configuration in the former slapd.conf manner and not in the CONFIG-DB way. So I added the mirroring parameters to the slapd.conf file. The file looks like this on the first backend node:
Code:include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/calentry.schema
include /etc/openldap/schema/calresource.schema
include /etc/openldap/schema/amavisd-new.schema
include /etc/openldap/schema/iredmail.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# The syncprov overlay
moduleload syncprov.la
disallow bind_anon
require LDAPv3
loglevel 0
access to attrs="userPassword,mailForwardingAddress,employeeNumber"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to attrs="cn,sn,gn,givenName,telephoneNumber"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber,domainPendingAliasName"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to attrs="mail,accountStatus,domainStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress,memberOfGroup,member,uniqueMember,storageBaseDirectory,homeDirectory,mailMessageStore,mailingListID"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to dn="cn=vmail,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to dn="cn=vmailadmin,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to dn.regex="domainName=([^,]+),o=domains,dc=myCompany,dc=de$"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=myCompany,dc=de$" write
by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=myCompany,dc=de$" read
by users none
access to dn.subtree="o=domains,dc=myCompany,dc=de"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to dn.subtree="o=domainAdmins,dc=myCompany,dc=de"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to dn.regex="cn=[^,]+,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to *
by anonymous auth
by self write
by users read
database monitor
access to dn="cn=monitor"
by dn.exact="cn=Manager,dc=myCompany,dc=de" read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by * none
database mdb
suffix dc=myCompany,dc=de
directory /var/lib/ldap/myCompany.de
rootdn cn=Manager,dc=myCompany,dc=de
rootpw {SSHA}V5/UQXm9SmzRGjKK2zAKB79eFSaysc2wG9tPIg==
sizelimit unlimited
maxsize 2147483648
checkpoint 128 3
mode 0700
index objectclass,entryCSN,entryUUID eq
index uidNumber,gidNumber,uid,memberUid,loginShell eq,pres
index homeDirectory,mailMessageStore eq,pres
index ou,cn,mail,surname,givenname,telephoneNumber,displayName eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index shadowLastChange eq,pres
index member,uniqueMember eq,pres
index domainName,mtaTransport,accountStatus,enabledService,disabledService eq,pres,sub
index domainAliasName eq,pres,sub
index domainMaxUserNumber eq,pres
index domainAdmin,domainGlobalAdmin,domainBackupMX eq,pres,sub
index domainSenderBccAddress,domainRecipientBccAddress eq,pres,sub
index accessPolicy,hasMember,listAllowedUser,mailingListID eq,pres,sub
index mailForwardingAddress,shadowAddress eq,pres,sub
index backupMailAddress,memberOfGroup eq,pres,sub
index userRecipientBccAddress,userSenderBccAddress eq,pres,sub
index mobile,departmentNumber eq,pres,sub
#Mirror Mode
serverID 001
# Consumer
syncrepl rid=001 \
provider=ldap://rm2.myCompany.de \
bindmethod=simple \
binddn="cn=vmail,dc=myCompany,dc=de" \
credentials="gtV9FwILIcp8Zw8YtGeB1AC9GbGfti" \
searchbase="dc=myCompany,dc=de" \
attrs="*,+" \
type=refreshAndPersist \
interval=00:00:01:00 \
retry="60 +"
# Provider
overlay syncprov
syncprov-checkpoint 50 1
syncprov-sessionlog 50
mirrormode onThere are only two differences in the second node's config file:
Code:[...]
#Mirror Mode
serverID 002
[...]
# Consumer
[...]
provider=ldap://rm2.myCompany.de \
[...]As mentioned before the mirroring works perfectly.
Now I need a single connection address for the LDAP clients, i.e. web applications using LDAP as authentication mechanism.
I read that you can use an OpenLDAP proxy for that purpose. The LDAP client (here: web application) connects to the LDAP proxy and the proxy will retrieve the authentication data from multiple backend LDAP servers.
I set up an OpenLDAP proxy, it uses CONFIG-DB, not the ancient way. The slapd.conf file looks like this:
Code:include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload back_ldap.la
loglevel 0
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldap://rm1.myCompany.de:389"
suffix "dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=myCompany,dc=de"First issue:
Creating the CONFIG-DB using slaptest, the command fails, claiming:
Code:5dc44107 /etc/openldap/slapd.conf: line 48: suffix already served by this backend!.
slaptest: bad configuration directory!The slaptest command looks like this:
Code:slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/It is possible that I didn't understand completely the concept, because all guides I found are using subdomain prefixes for the different LDAP backend servers, i.e. instead of:
Code:uri "ldap://rm1.myCompany.de:389"
suffix "dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=myCompany,dc=de"they use:
Code:uri "ldap://rm1.myCompany.de:389"
suffix "dc=ou1,dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=ou2,dc=myCompany,dc=de"What I didn't understand: On the backend servers there is no ou1 and ou2 respectively. How can they expect to find anything in the backend LDAPs if the DNs do not match?
I temporarily commented the second uri in order to check if, apart from this issue, LDAP queries to the LDAP proxy succeed, but ran into the second issue.
Second issue:
If I run an ldapsearch against directly to the two backend LDAP servers (one after the other), all of the LDAP users will be enumerated.
If I run the same ldapsearch against the LDAP proxy, only the user "vmail" will be enumerated. I think that the same users should be listed as in the direct query.
This is the ldapsearch command:
Code:ldapsearch -D "cn=vmail,dc=myCompany,dc=de" -w gtV9FwILIcp8Zw8YtGeB1AC9GbGfti -p 389 -h 192.168.0.92 -b "dc=myCompany,dc=de" -s sub "(objectclass=person)"Did I miss sth.?
Thank you for your considerations!
Best regards,
Florian