What the OpenLDAP proxy provides

Many applications support the Lightweight Directory Access Protocol (LDAP) and require data stored in this format, but do not support Kerberos. In addition, many applications that support LDAP cannot search Active Directory directly because of the complexities of the Active Directory environment itself, such as the global catalog, multiple domains, multiple forests, and trust relationships.

The Centrify OpenLDAP proxy is an OpenLDAP server process that enables LDAP clients that are not Kerberos-enabled to search Active Directory efficiently and securely. By using the Centrify OpenLDAP proxy, applications that support LDAP can search complex Active Directory environments and authenticate users with Active Directory. Through the Centrify agent, the Centrify OpenLDAP proxy enables you to resolve UID, GID, and group membership efficiently and collapse the entire Centrify hierarchical zone structure, including parent and child zone, and individual computer overrides into a single namespace for LDAP applications.

In addition, connecting to Active Directory typically requires an authenticated bind with a valid user name and password. Because the Centrify OpenLDAP proxy uses the Centrify agent to connect to Active Directory and retrieve information, you can issue OpenLDAP commands without an authenticated bind.

The following diagram provides a simplified overview of the components.

The key advantages to deploying the Centrify OpenLDAP proxy when you have LDAP clients where the Centrify agent cannot be installed are as follows:

  • You can use the Centrify OpenLDAP proxy server to run commands that retrieve or update information stored in Active Directory.
  • The Centrify OpenLDAP proxy service uses the Centrify agent to securely connect to Active Directory and retrieve user, group, and other information from the Active Directory domain controller.
  • You can leverage the offline authentication and caching capabilities of the Centrify agent for applications that support LDAP, but not Kerberos.
  • Regardless of the complexity in Active Directory, including multiple domains and forests and parent and child zones, the Centrify OpenLDAP proxy treats the information stored in Active Directory as a single RFC2307-compatible namespace.

Enabling simple authentication

Users can be authenticated through simple authentication to the Centrify OpenLDAP proxy with their username and password. This is then converted to a secure Kerberos authentication by adclient.

By default, to authenticate users, adclient checks its credential cache data first, then, if not in cache, it refers to Active Directory. Allowing Centrify OpenLDAP proxy to use the adclient credential cache, enables authentication if adclient is in disconnected mode.

If you want to always authenticate through Active Directory:

To the slapd.conf file:

/etc/centrifydc/openldap/slapd.conf

Add:

cdc-auth-prefer-cache false

Enabling simple proxy mode

If either objectClass or objectCategory is not specified in the search filter, the search is in simple proxy mode. With simple proxy mode, all search filters are sent without translation through adclient to Active Directory. All results are returned as provided by Active Directory without translation or interpretation of results.