nslcd with domain.com and sub.domain.com
i'm trying to setup our linux server with nslcd within multiple AD Domains, example.com and sub.exmaple.com.
The current setup with nslcd is pretty easy and works for the domain example.com:
uid nslcd
gid ldap
uri ldaps://dc1.example.com:636
base dc=example,dc=com
binddn cn=srv_authuser,ou=server,dc=example,dc=com
bindpw ----
tls_reqcert never
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map passwd uid sAMAccountName
map passwd uidNumber objectSid:S-1-5-21-4129304498-564803152-741489137
map passwd gidNumber gidNumber
map passwd loginShell "/bin/bash"
map passwd homeDirectory "/home/$sAMAccountName"
map passwd gecos displayName)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map group gidNumber objectSid:S-1-5-21-4129304498-564803152-741489137
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
tls_cacertdir /etc/openldap/cacerts
ssl on
Is it possible with nslcd (pam-nss-ldap) to set up an second ldap query for sub.domain.com or is this only possible via sssd? If the bind user has admin rights on sub.domain.com, could he fetch also passwords/account data?
Thanks
Solution 1:
You won't be able to do what you want with just nslcd. Instead you will have to configure a fake LDAP server with the fake domain name served by slapd with slapd-meta or slapd-ldap backend. Then you will add your AD servers to e.g. fakedomain.local. Once it's done you will be able to enroll your client to the fakedomain.local that will have a few domains inside. Then you will be able to list users from two different LDAP servers.
here is a sample of your LDAP proxy configuration:
sudo yum install -y openldap openldap-clients openldap-servers
cat /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
allow bind_v2
allow bind_anon_cred
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap/
moduleload rwm.la
moduleload back_ldap.la
moduleload back_meta.la
loglevel 4095
attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
#Active Directory1
database meta
suffix "dc=fakedomain,dc=local"
uri "ldap://ipofyourldap1:389/dc=fakedomain,dc=local"
readonly yes
lastmod off
suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real1,dc=domain"
idassert-bind bindmethod=simple
binddn="CN=userwithadminrights,OU=users,OU=office,DC=real1,DC=domain"
credentials="yourplaintextpassword"
idassert-authzFrom "*"
#Active Directory2
database meta
suffix "dc=fakedomain,dc=local"
uri "ldap://ipofyourldap2:389/dc=fakedomain,dc=local"
readonly yes
lastmod off
suffixmassage "dc=fakedomain,dc=local" "ou=users,ou=office,dc=real2,dc=domain"
idassert-bind bindmethod=simple
binddn="CN=userwithadminrights,OU=users,OU=office,DC=real2,DC=domain"
credentials="yourplaintextpassword"
idassert-authzFrom "*"
Add the following:
#####################ADD TO /etc/openldap/schema/inetorgperson.schema############
attributetype ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
#####################ADD TO /etc/openldap/schema/inetorgperson.schema############
sudo rm -r /etc/openldap/slapd.d && sudo mkdir /etc/openldap/slapd.d && sudo chown -R ldap.ldap /etc/openldap/slapd.d
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
sudo slapd -d 1