title: openldap as a pass-through proxy link: https://onemoretech.wordpress.com/2007/08/29/openldap-as-a-pass-through-proxy/ author: lembobro description: post_id: 651 created: 2007/08/29 04:23:00 created_gmt: 2007/08/29 04:23:00 comment_status: open post_name: openldap-as-a-pass-through-proxy status: publish post_type: post

openldap as a pass-through proxy

First, you need to download the latest stable source from the OpenLDAP Project. As of this writing that is v2.3.32.

Next do a tar xzf to unarchive the source into a directory for building (I usually use /var/tmp).

For a simple LDAP proxy that can also do dn mapping, use the following configure command:

./configure \--prefix=/opt/openldap/proxy \--enable-ldap \--enable-rewrite

The path specified in “–prefix” can be anything you like, but keep in mind that you probably don’t want to step on any existing openldap binaries installed on your distribution, so it’s a good idea to segregate it in its own directory. As for almost all 3rd party software, my practice is to install to /opt.

Then do a “make depend”, “make”, and su-ing to root, a “make install”.

Once that is done (which on a recent RedHat family system should complete without any errors), you should change ownership of the new program directory (/opt/openldap/proxy) to the system ldap group and user (”chown -R ldap:ldap /opt/openldap/proxy). For convenience, you should also make everything readable and writable by members of the ldap group (”chmod -R g+rw /opt/openldap/proxy”).

My initial slapd.conf to launch an LDAP proxy was pretty simple. Here’s the text:
`#

See slapd.conf(5) for details on configuration options.

This file should NOT be world readable.

include /opt/openldap/proxy/etc/openldap/schema/core.schema
include /opt/openldap/proxy/etc/openldap/schema/cosine.schema
include /opt/openldap/proxy/etc/openldap/schema/inetorgperson.schema
pidfile /opt/openldap/proxy/var/run/slapd.pid
argsfile /opt/openldap/proxy/var/run/slapd.args

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to * by self write by users read by anonymous auth

loglevel 256

######## database definitions################

database ldap
suffix "dc=mydomain,dc=com"
uri "ldap://ldap.mydomain.com"
acl-bind bindmethod=simple
binddn="cn=proxy,ou=special users,dc=mydomain,dc=com"
credentials=secret
`

The important thing to note is that the “database” enabled is “ldap”, the proxy back-end. The uri is that of the LDAP server I’m proxing to. The acl-bind directive enables authentication to the target LDAP server for the purpose of applying any access controls in effect there. Without this all binds from the proxy would be as anonymous.

Actually starting up this new slapd can be done with the following syntax:

/opt/openldap/proxy/libexec/slapd -4 -h ldap://myhost.mydomain.com:1389 -n slapd-ldap -u ldap -g ldap

The slapd executable is the one we built from source and installed to “/opt”. The “-4” directive tells slapd to listen for IP v4 clients only. The “-h” directive specifies the uri of the proxy server. In this case I’ve given a DNS name, but you could just as easily specify an IP address. You must specify the listening port, or it will use standard LDAP port 389. “-n” lets you name the new slapd process so it can be easily differentiated from any others running on the same box. The “-u” and “-g” specify the system user and group to run the server as.

P.S. If you’re having trouble getting slapd to come up, use the “-d” option with some value (I usually just use “1”) to get debugging info echoed to the console — keep in mind that this will cause slapd not to fork and it will only stay up only so long as the console you invoked it in is up. In addition, you can actually log via syslog by specifying “-l LOCAL6” or another logging facility on the command line, and defining the log path in /etc/syslog.conf (be sure to reload syslog with the new config info).

Copyright 2004-2019 Phil Lembo