Join Log in
Score:0
termux avatar Server

Active Directory/LDAP replication Windows/Ubuntu

cn flag
termux

I am trying to setup replication between a Windows AD and OpenLDAP on Ubuntu.

Access to the Windows AD server seems to work OK, the OpenLDAP on Ubuntu also seems to work, however I am getting stuck on setting up the replication between both - I am new to AD/LDAP and there might be some concepts I'm missing.

I am able to list users on the remote (Windows) AD:

ldapsearch -x -h 192.168.1.200 -D 'CN=LDAP OpenVPN,CN=Users,DC=DOMAIN,DC=NET' -w 'xxx' -b "DC=DOMAIN,DC=NET" cn

I setup the replication using the following config:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncrepl

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://192.168.1.200:389/
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
  searchbase="CN=Users,DC=DOMAIN,DC=NET"
  bindmethod=simple
  binddn="CN=LDAP OpenVPN,CN=Users,DC=DOMAIN,DC=NET"
  credentials="xxx"

add: olcUpdateRef
olcUpdateRef: ldap://192.168.1.200

And applied using:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"

modifying entry "olcDatabase={1}mdb,cn=config"

However, replication seems to fail with the following error:

[16-02-2022 22:00:20] slapd debug  slap_client_connect: URI=ldap://192.168.1.200:389/ DN="cn=admin,dc=domain,dc=net" ldap_sasl_bind_s failed (49)
[16-02-2022 22:00:20] slapd debug  do_syncrepl: rid=001 rc 49 quitting
[16-02-2022 22:00:21] slapd debug  slap_client_connect: URI=ldap://192.168.1.200:389/ DN="cn=openvpnldap,dc=domain,dc=net" ldap_sasl_bind_s failed (49)
[16-02-2022 22:00:21] slapd debug  do_syncrepl: rid=001 rc 49 quitting
[16-02-2022 22:00:22] slapd debug  do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (12) Critical extension is unavailable
[16-02-2022 22:00:22] slapd debug  do_syncrep2: rid=001 (12) Critical extension is unavailable
[16-02-2022 22:00:22] slapd debug  do_syncrepl: rid=001 rc -2 quitting
[16-02-2022 22:00:22] slapd debug  do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (12) Critical extension is unavailable
[16-02-2022 22:00:22] slapd debug  do_syncrep2: rid=001 (12) Critical extension is unavailable
[16-02-2022 22:00:22] slapd debug  do_syncrepl: rid=001 rc -2 quitting

To give an idea of what I am trying to achieve:

  • we have an on-premise network (192.168.1.0/24) with a Windows based Active Directory running on it
  • we have a Google Cloud VPC network (10.0.0.0/8) with some resources running on it
  • we have an IPSec tunnel running between the on-premise network and GCP network. Routes are properly setup and everything works like a charm
  • we would like to access our on premise LDAP (192.168.1.200) from a VM, within Google Cloud VPC network - the point is to allow users from this AD to login to an OpenVPN server located on this VM
  • we want authentication to keep working if we loose access to our on-premise network. To achieve this, the idea was to run a "proxy/cache" OpenLDAP on the same VM

Thanks a lot!

74
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.