What the OpenLDAP proxy provides

Many applications support the Lightweight Directory Access Protocol (LDAP) and require data stored in this format, but do not support Kerberos. In addition, many applications that support LDAP cannot search Active Directory directly because of the complexities of the Active Directory environment itself, such as the global catalog, multiple domains, multiple forests, and trust relationships.

The Server Suite OpenLDAP proxy is an OpenLDAP server process that enables LDAP clients that are not Kerberos-enabled to search Active Directory efficiently and securely. By using the Server Suite OpenLDAP proxy, applications that support LDAP can search complex Active Directory environments and authenticate users with Active Directory. Through the Server Suite Agent, the Server Suite OpenLDAP proxy enables you to resolve UID, GID, and group membership efficiently and collapse the entire Server Suite hierarchical zone structure, including parent and child zone, and individual computer overrides into a single namespace for LDAP applications.

In addition, connecting to Active Directory typically requires an authenticated bind with a valid user name and password. Because the Server Suite OpenLDAP proxy uses the Server Suite Agent to connect to Active Directory and retrieve information, you can issue OpenLDAP commands without an authenticated bind.

The following diagram provides a simplified overview of the components.

Components

The key advantages to deploying the Server Suite OpenLDAP proxy when you have LDAP clients where the Server Suite Agent cannot be installed are as follows:

  • You can use the Server Suite OpenLDAP proxy server to run commands that retrieve or update information stored in Active Directory.

  • The Server Suite OpenLDAP proxy service uses the Server Suite Agent to securely connect to Active Directory and retrieve user, group, and other information from the Active Directory domain controller.

  • You can leverage the offline authentication and caching capabilities of the Server Suite Agent for applications that support LDAP, but not Kerberos.

  • Regardless of the complexity in Active Directory, including multiple domains and forests and parent and child zones, the Server Suite OpenLDAP proxy treats the information stored in Active Directory as a single RFC2307-compatible namespace.

Enabling simple authentication

Users can be authenticated through simple authentication to the Server Suite OpenLDAP proxy with their username and password. This is then converted to a secure Kerberos authentication by adclient.

By default, to authenticate users, adclient checks its credential cache data first, then, if not in cache, it refers to Active Directory. Allowing the Server Suite OpenLDAP proxy to use the adclient credential cache enables authentication if adclient is in disconnected mode.

If you want to always authenticate through Active Directory:

To the slapd.conf file:

/etc/centrifydc/openldap/slapd.conf

Add:

cdc-auth-prefer-cache false

Enabling SASL/GSSAPI authentication

You can also configure user authentication to use SASL/GSSAPI authentication (Simple Authentication and Security Layer/Generic Security Services Application Program Interface) to the Server Suite OpenLDAP proxy. This requires a valid kerberos cache.

Using SASL/GSSAPI authentication provides a data security layer that offers data integrity and data confidentiality services to secure communications between LDAP clients and the Server Suite OpenLDAP proxy service.

For example, here's how to use the ldapsearch command with SASL/GSSAPI authentication:

KRB5CCNAME=FILE:/etc/krb5.ccache /usr/share/centrifydc/bin/ldapsearch -h localhost  "(&(objectClass=posixAccount)(uid=user1))"

Enabling simple proxy mode

If either objectClass or objectCategory is not specified in the search filter, the search is in simple proxy mode. With simple proxy mode, all search filters are sent without translation through adclient to Active Directory. All results are returned as provided by Active Directory without translation or interpretation of results.