OpenLdap Pass-thru Auth to AD
Last year I rolled out Centos 6.7 VDI in my lab environment. To use AD credentials in the Linux environment, Openldap has to be configured to authenticate windows users through client VMs. Once, the parent image is joined to the Openldap domain, every clone that is provisioned will need no configuration. It just works. This is the method that VMware recommends (VMware Horizon 7). The only problem is that VMware does not provide the configuration.
The Linux distro I used for this document is Debian (jesse) based ‘Turnkey’ which is already Openldap reconfigured so it saves a lot of steps and time.
- SSH into your openldap server
- apt-get update
- apt-get install libsasl2-2 sasl2-bin libsasl2-modules
- vi /etc/default/saslauthd and change START=yes, MECHANISMS=”ldap”
- Save and quit (ctrl+x)
- mkdir /var/run/saslauthd/mux
- Change permission for /var/run/saslauthd and /var/run/saslauthd/mux to 755
- if saslauthd.conf does not exist – touch it (/etc/saslauthd.conf) and add 755 permissions.
9. Configure the file (/etc/saslauthd.conf) as follows
ldap_bind_dn: CN=openldap,CN=Users,DC=oslab,DC=com < do not use a domain admin account
- To determine the account under which SLAPD is running check SLAPD_USER parameter in /etc/default/slapd.
- # adduser openldap sasl
- Edit the following file “/etc/ldap/sasl2/slapd.conf” and if it does not exist, create it.
- Testing pass-through authentication
I will use an AD user account to test and make sure that we can authenticate through openldap.
root@openldap ~# testsaslauthd -u user1 -p Password1