article

Action executed in 0.000

Mocking Active Directory with OpenLDAP

OpenLDAP logo

For work, our production server uses Active Directory (AD) for authentication and authorization to use our app. Users may belong to several groups to be granted access to different parts of the app. To mock this out for development I installed OpenLDAP and extended the schema enough to match what we need.

Our code queries the sAMAccountName attribute of users, which belongs to the Microsoft securityPrincipal objectClass. Instead of enabling the entire schema, which gave me errors, I enabled just the objectClass and attributes my application needs.

attributetype ( 1.2.840.113556.1.4.221
    NAME 'sAMAccountName'
    EQUALITY caseIgnoreMatch
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
    SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.102
    NAME 'memberOf'
    EQUALITY caseIgnoreMatch
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')

objectclass ( 1.2.840.113556.1.5.6
    NAME 'securityPrincipal'
    SUP top
    AUXILIARY
    MUST (sAMAccountName)
    MAY (memberOf))

This says there's attribute named sAMAccountName of type (SYNTAX) string which occurs once. Checking equality will ignore case. There's also a memberOf attribute, but it's permitted multiple times. Finally there's an objectclass called securityPrincipal which MUST contain sAMAccountName and MAY contain memberOfs.

Create this file and save it in /etc/ldap/schema/ms.schema.

Create a file schema_convert.conf like this.

include /etc/ldap/schema/ms.schema

Follow the steps here: Modifying the slapd Configuration Database.

Using phpLDAPadmin, add Generic: User Account, save, then edit. Add object class securityPrincipal. This will prompt you to fill out sAMAccountName. In our application we set the username part of our Kerberos principals. Then "Add new attribute" and select memberOf. Finally set the name of the group the member belongs to.

Now or app may perform the queries it needs, just as it would in production.

// Find the user
ldap_search( $ad, $basedn,"(samaccountName={$samaccountname})", array('dn;) );
// Get their groups
ldap_read( $ad, $userdn, '(objectclass=securityPrincipal)', 'memberof' );

How To Install and Configure OpenLDAP and phpLDAPadmin on Ubuntu 16.04 is an excellent article for reference.

Comments

none yet

Post a Comment

* indicates a required field
anonymous (If you want to identify yourself, please sign in first.)
required This field is required.

Max size is 2 MB, aspect ratio 3:4 width:height
required This field is required.
Please include a short description.
required This field is required.

480 characters remaining.
is public

(Use this field if you have to. 3000 characters remaining.)
2 pennies, 1 quarter + 100

Trackback URL

http://derocher.org/~brian//trackback.php?ParentId=105658

form