|
NAMEslapo-remoteauth - Delegate authentication requests to remote directories, e.g. Active DirectorySYNOPSIS/usr/local/etc/openldap/slapd.confDESCRIPTIONThe remoteauth overlay to slapd(8) provides passthrough authentication to remote directory servers, e.g. Active Directory, for LDAP simple bind operations. The local LDAP entry referenced in the bind operation is mapped to its counterpart in the remote directory. An LDAP bind operation is performed against the remote directory and results are returned based on those of the remote operation.A slapd server configured with the remoteauth overlay handles an authentication request based on the presence of userPassword in the local entry. If the userPassword is present, authentication is performed locally, otherwise the remoteauth overlay performs the authentication request to the configured remote directory server. CONFIGURATIONThe following options can be applied to the remoteauth overlay within the slapd.conf file. All options should follow the overlay remoteauth directive.
remoteauth_tls [starttls=yes] [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>] [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand] [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>] [tls_ecname=<names>] [tls_crlcheck=none|peer|all] Remoteauth specific TLS configuration, see
slapd.conf(5) for more details on each of the parameters and
defaults.
EXAMPLEA typical example configuration of remoteauth overlay for AD is shown below (as a slapd.conf(5) snippet):database <database> #... overlay remoteauth remoteauth_dn_attribute seeAlso remoteauth_domain_attribute associatedDomain remoteauth_default_realm americas.example.com remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas remoteauth_mapping emea emeadc1.emea.example.com remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo= Where seeAlso contains the AD bind DN for the user, associatedDomain contains the Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which anything following, including ":", is ignored. SEE ALSOslapd.conf(5), slapd(8).CopyrightsCopyright 2004-2022 The OpenLDAP Foundation. Portions Copyright 2004-2017 Howard Chu, Symas Corporation. Portions Copyright 2017-2021 Ondřej Kuzník, Symas Corporation. Portions Copyright 2004 Hewlett-Packard Company
Visit the GSP FreeBSD Man Page Interface. |