1SLAPO-REMOTEAUTH(5) File Formats Manual SLAPO-REMOTEAUTH(5)
2
3
4
6 slapo-remoteauth - Delegate authentication requests to remote directo‐
7 ries, e.g. Active Directory
8
10 /etc/openldap/slapd.conf
11
13 The remoteauth overlay to slapd(8) provides passthrough authentication
14 to remote directory servers, e.g. Active Directory, for LDAP simple
15 bind operations. The local LDAP entry referenced in the bind operation
16 is mapped to its counterpart in the remote directory. An LDAP bind op‐
17 eration is performed against the remote directory and results are re‐
18 turned based on those of the remote operation.
19
20 A slapd server configured with the remoteauth overlay handles an au‐
21 thentication request based on the presence of userPassword in the local
22 entry. If the userPassword is present, authentication is performed lo‐
23 cally, otherwise the remoteauth overlay performs the authentication re‐
24 quest to the configured remote directory server.
25
27 The following options can be applied to the remoteauth overlay within
28 the slapd.conf file. All options should follow the overlay remoteauth
29 directive.
30
31
32 overlay remoteauth
33 This directive adds the remoteauth overlay to the current data‐
34 base, see slapd.conf(5) for details.
35
36
37 remoteauth_dn_attribute <dnattr>
38 Attribute in the local entry that is used to store the bind DN
39 to a remote directory server.
40
41
42 remoteauth_mapping <domain> <hostname|LDAP
43 URI|file:///path/to/list_of_hostnames>
44 For a non-Windows deployment, a domain can be considered as a
45 collection of one or more hosts to which slapd server authent‐
46 cates against on behalf of authenticating users. For a given
47 domain name, the mapping specifies the target server(s), e.g.,
48 Active Directory domain controller(s), to connect to via LDAP.
49 The second argument can be given either as a hostname, an LDAP
50 URI, or a file containing a list of hostnames/URIs, one per
51 line. The hostnames are tried in sequence until the connection
52 succeeds.
53
54 This option can be provided more than once to provide mapping
55 information for different domains. For example:
56
57 remoteauth_mapping americas file:///path/to/americas.domain.hosts
58 remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
59 remoteauth_mapping emea emeadc1.emea.example.com
60
61
62 remoteauth_domain_attribute <attr>
63 Attribute in the local entry that specifies the domain name, any
64 text after "\" or ":" is ignored.
65
66
67 remoteauth_default_domain <default domain>
68 Default domain.
69
70
71
72 remoteauth_default_realm <server>
73 Fallback server to connect to for domains not specified in re‐
74 moteauth_mapping.
75
76
77 remoteauth_retry_count <num>
78 Number of connection retries attempted. Default is 3.
79
80
81 remoteauth_store <on|off>
82 Whether to store the password in the local entry on successful
83 bind. Default is off.
84
85
86 remoteauth_tls [starttls=yes] [tls_cert=<file>] [tls_key=<file>]
87 [tls_cacert=<file>] [tls_cacertdir=<path>]
88 [tls_reqcert=never|allow|try|demand]
89 [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
90 [tls_ecname=<names>] [tls_crlcheck=none|peer|all]
91 Remoteauth specific TLS configuration, see slapd.conf(5) for
92 more details on each of the parameters and defaults.
93
94
95 remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key
96 hash>
97 Mapping between remote server hostnames and their public key
98 hashes. Only one mapping per hostname is supported and if any
99 pins are specified, all hosts need to be pinned. If set, pinning
100 is in effect regardless of whether or not certificate name
101 validation is enabled by tls_reqcert.
102
103
105 A typical example configuration of remoteauth overlay for AD is shown
106 below (as a slapd.conf(5) snippet):
107
108
109 database <database>
110 #...
111
112 overlay remoteauth
113 remoteauth_dn_attribute seeAlso
114 remoteauth_domain_attribute associatedDomain
115 remoteauth_default_realm americas.example.com
116
117 remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
118 remoteauth_mapping emea emeadc1.emea.example.com
119
120 remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
121 remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=
122
123 Where seeAlso contains the AD bind DN for the user, associatedDomain
124 contains the Windows Domain Id in the form of <NT-domain-name>:<NT-
125 username> in which anything following, including ":", is ignored.
126
127
129 slapd.conf(5), slapd(8).
130
131
133 Copyright 2004-2022 The OpenLDAP Foundation. Portions Copyright
134 2004-2017 Howard Chu, Symas Corporation. Portions Copyright 2017-2021
135 Ondřej Kuzník, Symas Corporation. Portions Copyright 2004 Hewlett-
136 Packard Company
137
138
139
140OpenLDAP 2.6.6 2023/07/31 SLAPO-REMOTEAUTH(5)