NAME

       slapo-remoteauth  -  Delegate  authentication  requests to remote directories, e.g. Active
       Directory

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The remoteauth overlay to slapd(8) provides passthrough authentication to remote directory
       servers,  e.g.   Active  Directory,  for LDAP simple bind operations. The local LDAP entry
       referenced in the bind operation is mapped to its counterpart in the remote directory.  An
       LDAP  bind  operation  is  performed against the remote directory and results are returned
       based on those of the remote operation.

       A slapd server configured with the remoteauth overlay handles  an  authentication  request
       based  on the presence of userPassword in the local entry. If the userPassword is present,
       authentication is  performed  locally,  otherwise  the  remoteauth  overlay  performs  the
       authentication request to the configured remote directory server.

CONFIGURATION

       The following options can be applied to the remoteauth overlay within the slapd.conf file.
       All options should follow the overlay remoteauth directive.

       overlay remoteauth
              This  directive  adds  the  remoteauth  overlay  to  the  current   database,   see
              slapd.conf(5) for details.

       remoteauth_dn_attribute <dnattr>
              Attribute  in  the  local  entry  that  is  used  to  store the bind DN to a remote
              directory server.

       remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames>
              For a non-Windows deployment, a domain can be considered as a collection of one  or
              more  hosts  to which slapd server authentcates against on behalf of authenticating
              users.  For a given domain name, the mapping specifies the target server(s),  e.g.,
              Active Directory domain controller(s), to connect to via LDAP.  The second argument
              can be given either as a hostname, an LDAP URI, or a  file  containing  a  list  of
              hostnames/URIs,  one  per  line.  The  hostnames  are  tried  in sequence until the
              connection succeeds.

              This option can be provided more than  once  to  provide  mapping  information  for
              different domains. For example:

                  remoteauth_mapping americas file:///path/to/americas.domain.hosts
                  remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
                  remoteauth_mapping emea emeadc1.emea.example.com

       remoteauth_domain_attribute <attr>
              Attribute  in the local entry that specifies the domain name, any text after "\" or
              ":" is ignored.

       remoteauth_default_domain <default domain>
              Default domain.

       remoteauth_default_realm <server>
              Fallback server to connect to for domains not specified in remoteauth_mapping.

       remoteauth_retry_count <num>
              Number of connection retries attempted. Default is 3.

       remoteauth_store <on|off>
              Whether to store the password in the local entry on  successful  bind.  Default  is
              off.

       remoteauth_tls   [starttls=yes]   [tls_cert=<file>]  [tls_key=<file>]  [tls_cacert=<file>]
              [tls_cacertdir=<path>]                         [tls_reqcert=never|allow|try|demand]
              [tls_reqsan=never|allow|try|demand]                    [tls_cipher_suite=<ciphers>]
              [tls_ecname=<names>] [tls_crlcheck=none|peer|all]
              Remoteauth specific TLS configuration, see slapd.conf(5) for more details  on  each
              of the parameters and defaults.

       remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash>
              Mapping  between  remote  server  hostnames  and  their public key hashes. Only one
              mapping per hostname is supported and if any pins are specified, all hosts need  to
              be  pinned.  If  set, pinning is in effect regardless of whether or not certificate
              name validation is enabled by tls_reqcert.

EXAMPLE

       A typical example configuration of  remoteauth  overlay  for  AD  is  shown  below  (as  a
       slapd.conf(5) snippet):

          database <database>
          #...

          overlay remoteauth
          remoteauth_dn_attribute seeAlso
          remoteauth_domain_attribute associatedDomain
          remoteauth_default_realm americas.example.com

          remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
          remoteauth_mapping emea emeadc1.emea.example.com

          remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
          remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=

       Where  seeAlso contains the AD bind DN for the user, associatedDomain contains the Windows
       Domain Id in the form  of  <NT-domain-name>:<NT-username>  in  which  anything  following,
       including ":", is ignored.

SEE ALSO

       slapd.conf(5), slapd(8).

Copyrights

       Copyright  2004-2022  The  OpenLDAP  Foundation.  Portions Copyright 2004-2017 Howard Chu,
       Symas  Corporation.   Portions  Copyright  2017-2021  Ondřej  Kuzník,  Symas  Corporation.
       Portions Copyright 2004 Hewlett-Packard Company