1SLAPO-REMOTEAUTH(5)           File Formats Manual          SLAPO-REMOTEAUTH(5)
2
3
4

NAME

6       slapo-remoteauth  - Delegate authentication requests to remote directo‐
7       ries, e.g. Active Directory
8

SYNOPSIS

10       /etc/openldap/slapd.conf
11

DESCRIPTION

13       The remoteauth overlay to slapd(8) provides passthrough  authentication
14       to  remote  directory  servers, e.g.  Active Directory, for LDAP simple
15       bind operations. The local LDAP entry referenced in the bind  operation
16       is  mapped to its counterpart in the remote directory. An LDAP bind op‐
17       eration is performed against the remote directory and results  are  re‐
18       turned based on those of the remote operation.
19
20       A  slapd  server  configured with the remoteauth overlay handles an au‐
21       thentication request based on the presence of userPassword in the local
22       entry.  If the userPassword is present, authentication is performed lo‐
23       cally, otherwise the remoteauth overlay performs the authentication re‐
24       quest to the configured remote directory server.
25

CONFIGURATION

27       The  following  options can be applied to the remoteauth overlay within
28       the slapd.conf file. All options should follow the  overlay  remoteauth
29       directive.
30
31
32       overlay remoteauth
33              This  directive adds the remoteauth overlay to the current data‐
34              base, see slapd.conf(5) for details.
35
36
37       remoteauth_dn_attribute <dnattr>
38              Attribute in the local entry that is used to store the  bind  DN
39              to a remote directory server.
40
41
42       remoteauth_mapping                <domain>               <hostname|LDAP
43       URI|file:///path/to/list_of_hostnames>
44              For a non-Windows deployment, a domain can be  considered  as  a
45              collection  of  one or more hosts to which slapd server authent‐
46              cates against on behalf of authenticating users.   For  a  given
47              domain  name,  the mapping specifies the target server(s), e.g.,
48              Active Directory domain controller(s), to connect to  via  LDAP.
49              The  second  argument can be given either as a hostname, an LDAP
50              URI, or a file containing a  list  of  hostnames/URIs,  one  per
51              line.  The  hostnames are tried in sequence until the connection
52              succeeds.
53
54              This option can be provided more than once  to  provide  mapping
55              information for different domains. For example:
56
57                  remoteauth_mapping americas file:///path/to/americas.domain.hosts
58                  remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
59                  remoteauth_mapping emea emeadc1.emea.example.com
60
61
62       remoteauth_domain_attribute <attr>
63              Attribute in the local entry that specifies the domain name, any
64              text after "\" or ":" is ignored.
65
66
67       remoteauth_default_domain <default domain>
68              Default domain.
69
70
71
72       remoteauth_default_realm <server>
73              Fallback server to connect to for domains not specified  in  re‐
74              moteauth_mapping.
75
76
77       remoteauth_retry_count <num>
78              Number of connection retries attempted. Default is 3.
79
80
81       remoteauth_store <on|off>
82              Whether  to  store the password in the local entry on successful
83              bind. Default is off.
84
85
86       remoteauth_tls   [starttls=yes]   [tls_cert=<file>]    [tls_key=<file>]
87              [tls_cacert=<file>]                       [tls_cacertdir=<path>]
88              [tls_reqcert=never|allow|try|demand]
89              [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
90              [tls_ecname=<names>] [tls_crlcheck=none|peer|all]
91              Remoteauth specific TLS  configuration,  see  slapd.conf(5)  for
92              more details on each of the parameters and defaults.
93
94
95       remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key
96       hash>
97              Mapping between remote server hostnames  and  their  public  key
98              hashes.  Only  one  mapping per hostname is supported and if any
99              pins are specified, all hosts need to be pinned. If set, pinning
100              is  in  effect  regardless  of  whether  or not certificate name
101              validation is enabled by tls_reqcert.
102
103

EXAMPLE

105       A typical example configuration of remoteauth overlay for AD  is  shown
106       below (as a slapd.conf(5) snippet):
107
108
109          database <database>
110          #...
111
112          overlay remoteauth
113          remoteauth_dn_attribute seeAlso
114          remoteauth_domain_attribute associatedDomain
115          remoteauth_default_realm americas.example.com
116
117          remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
118          remoteauth_mapping emea emeadc1.emea.example.com
119
120          remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
121          remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=
122
123       Where  seeAlso  contains  the AD bind DN for the user, associatedDomain
124       contains the Windows Domain Id in  the  form  of  <NT-domain-name>:<NT-
125       username> in which anything following, including ":", is ignored.
126
127

SEE ALSO

129       slapd.conf(5), slapd(8).
130
131

Copyrights

133       Copyright   2004-2022  The  OpenLDAP  Foundation.   Portions  Copyright
134       2004-2017 Howard Chu, Symas Corporation.  Portions Copyright  2017-2021
135       Ondřej  Kuzník,  Symas  Corporation.   Portions Copyright 2004 Hewlett-
136       Packard Company
137
138
139
140OpenLDAP 2.6.6                    2023/07/31               SLAPO-REMOTEAUTH(5)
Impressum