Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   slapo-remoteauth    ( 5 )

делегировать запросы аутентификации в удаленные каталоги, например в Active Directory (Delegate authentication requests to remote directories, e.g. Active Directory)

Имя (Name)

slapo-remoteauth - Delegate authentication requests to remote
       directories, e.g. Active Directory

Синопсис (Synopsis)

ETCDIR/slapd.conf

Описание (Description)

The remoteauth overlay to slapd(8) provides passthrough
       authentication to remote directory servers, e.g.  Active
       Directory, for LDAP simple bind operations. The local LDAP entry
       referenced in the bind operation is mapped to its counterpart in
       the remote directory. An LDAP bind operation is performed against
       the remote directory and results are returned based on those of
       the remote operation.

A slapd server configured with the remoteauth overlay handles an authentication request based on the presence of userPassword in the local entry. If the userPassword is present, authentication is performed locally, otherwise the remoteauth overlay performs the authentication request to the configured remote directory server.


Конфигурация (Configuration)

The following options can be applied to the remoteauth overlay
       within the slapd.conf file. All options should follow the overlay
       remoteauth directive.

overlay remoteauth This directive adds the remoteauth overlay to the current database, see slapd.conf(5) for details.

remoteauth_dn_attribute <dnattr> Attribute in the local entry that is used to store the bind DN to a remote directory server.

remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames> For a non-Windows deployment, a domain can be considered as a collection of one or more hosts to which slapd server authentcates against on behalf of authenticating users. For a given domain name, the mapping specifies the target server(s), e.g., Active Directory domain controller(s), to connect to via LDAP. The second argument can be given either as a hostname, an LDAP URI, or a file containing a list of hostnames/URIs, one per line. The hostnames are tried in sequence until the connection succeeds.

This option can be provided more than once to provide mapping information for different domains. For example:

remoteauth_mapping americas file:///path/to/americas.domain.hosts remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts remoteauth_mapping emea emeadc1.emea.example.com

remoteauth_domain_attribute <attr> Attribute in the local entry that specifies the domain name, any text after "\" or ":" is ignored.

remoteauth_default_domain <default domain> Default domain.

remoteauth_default_realm <server> Fallback server to connect to for domains not specified in remoteauth_mapping.

remoteauth_retry_count <num> Number of connection retries attempted. Default is 3.

remoteauth_store <on|off> Whether to store the password in the local entry on successful bind. Default is off.

remoteauth_tls [starttls=yes] [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>] [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand] [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>] [tls_ecname=<names>] [tls_crlcheck=none|peer|all] Remoteauth specific TLS configuration, see slapd.conf(5) for more details on each of the parameters and defaults.

remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash> Mapping between remote server hostnames and their public key hashes. Only one mapping per hostname is supported and if any pins are specified, all hosts need to be pinned. If set, pinning is in effect regardless of whether or not certificate name validation is enabled by tls_reqcert.


Примеры (Examples)

A typical example configuration of remoteauth overlay for AD is
       shown below (as a slapd.conf(5) snippet):

database <database> #...

overlay remoteauth remoteauth_dn_attribute seeAlso remoteauth_domain_attribute associatedDomain remoteauth_default_realm americas.example.com

remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas remoteauth_mapping emea emeadc1.emea.example.com

remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=

Where seeAlso contains the AD bind DN for the user, associatedDomain contains the Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which anything following, including ":", is ignored.


Смотри также (See also)

slapd.conf(5), slapd(8).