NAME

       slapo-remoteauth - Delegate authentication requests to remote directories, e.g. Active Directory

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The  remoteauth overlay to slapd(8) provides passthrough authentication to remote directory servers, e.g.
       Active Directory, for LDAP simple bind operations. The local LDAP entry referenced in the bind  operation
       is  mapped  to  its  counterpart in the remote directory. An LDAP bind operation is performed against the
       remote directory and results are returned based on those of the remote operation.

       A slapd server configured with the remoteauth overlay handles an  authentication  request  based  on  the
       presence  of userPassword in the local entry. If the userPassword is present, authentication is performed
       locally, otherwise the remoteauth overlay performs the authentication request to  the  configured  remote
       directory server.

CONFIGURATION

       The  following  options  can be applied to the remoteauth overlay within the slapd.conf file. All options
       should follow the overlay remoteauth directive.

       overlay remoteauth
              This directive adds the remoteauth overlay to the current database, see slapd.conf(5) for details.

       remoteauth_dn_attribute <dnattr>
              Attribute in the local entry that is used to store the bind DN to a remote directory server.

       remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames>
              For a non-Windows deployment, a domain can be considered as a collection of one or more  hosts  to
              which  slapd  server  authentcates  against on behalf of authenticating users.  For a given domain
              name, the mapping specifies the target server(s), e.g., Active Directory domain controller(s),  to
              connect  to  via  LDAP.   The second argument can be given either as a hostname, an LDAP URI, or a
              file containing a list of hostnames/URIs, one per line. The hostnames are tried in sequence  until
              the connection succeeds.

              This  option  can be provided more than once to provide mapping information for different domains.
              For example:

                  remoteauth_mapping americas file:///path/to/americas.domain.hosts
                  remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
                  remoteauth_mapping emea emeadc1.emea.example.com

       remoteauth_domain_attribute <attr>
              Attribute in the local entry that specifies the domain name, any text after "\" or ":" is ignored.

       remoteauth_default_domain <default domain>
              Default domain.

       remoteauth_default_realm <server>
              Fallback server to connect to for domains not specified in remoteauth_mapping.

       remoteauth_retry_count <num>
              Number of connection retries attempted. Default is 3.

       remoteauth_store <on|off>
              Whether to store the password in the local entry on successful bind. Default is off.

       remoteauth_tls      [starttls=yes]      [tls_cert=<file>]      [tls_key=<file>]       [tls_cacert=<file>]
              [tls_cacertdir=<path>]   [tls_reqcert=never|allow|try|demand]  [tls_reqsan=never|allow|try|demand]
              [tls_cipher_suite=<ciphers>] [tls_ecname=<names>] [tls_crlcheck=none|peer|all]
              Remoteauth specific TLS  configuration,  see  slapd.conf(5)  for  more  details  on  each  of  the
              parameters and defaults.

       remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash>
              Mapping between remote server hostnames and their public key hashes. Only one mapping per hostname
              is supported and if any pins are specified, all hosts need to be pinned. If  set,  pinning  is  in
              effect regardless of whether or not certificate name validation is enabled by tls_reqcert.

EXAMPLE

       A typical example configuration of remoteauth overlay for AD is shown below (as a slapd.conf(5) snippet):

          database <database>
          #...

          overlay remoteauth
          remoteauth_dn_attribute seeAlso
          remoteauth_domain_attribute associatedDomain
          remoteauth_default_realm americas.example.com

          remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
          remoteauth_mapping emea emeadc1.emea.example.com

          remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
          remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=

       Where  seeAlso  contains  the AD bind DN for the user, associatedDomain contains the Windows Domain Id in
       the form of <NT-domain-name>:<NT-username> in which anything following, including ":", is ignored.

SEE ALSO

       slapd.conf(5), slapd(8).

Copyrights

       Copyright 2004-2022 The OpenLDAP Foundation.  Portions Copyright 2004-2017 Howard Chu, Symas Corporation.
       Portions  Copyright  2017-2021 Ondřej Kuzník, Symas Corporation.  Portions Copyright 2004 Hewlett-Packard
       Company