tags: OpenLDAP

Action executed in 0.000

Each Tag


Common tags - number of posts

development (1), AD (1), Active Directory (1), security (1), Yahoo (1), LDAP (1), address book (1), mock (1),

Mocking Active Directory with OpenLDAP

OpenLDAP logo

For work, our production server uses Active Directory (AD) for authentication and authorization to use our app. Users may belong to several groups to be granted access to different parts of the app. To mock this out for development I installed OpenLDAP and extended the schema enough to match what we need.

Our code queries the sAMAccountName attribute of users, which belongs to the Microsoft securityPrincipal objectClass. Instead of enabling the entire schema, which gave me errors, I enabled just the objectClass and attributes my application needs.

attributetype ( 1.2.840.113556.1.4.221
    NAME 'sAMAccountName'
    EQUALITY caseIgnoreMatch
    SYNTAX ''

attributetype ( 1.2.840.113556.1.2.102
    NAME 'memberOf'
    EQUALITY caseIgnoreMatch
    SYNTAX '')

objectclass ( 1.2.840.113556.1.5.6
    NAME 'securityPrincipal'
    SUP top
    MUST (sAMAccountName)
    MAY (memberOf))

This says there's attribute named sAMAccountName of type (SYNTAX) string which occurs once. Checking equality will ignore case. There's also a memberOf attribute, but it's permitted multiple times. Finally there's an objectclass called securityPrincipal which MUST contain sAMAccountName and MAY contain memberOfs.

Create this file and save it in /etc/ldap/schema/ms.schema.

Create a file schema_convert.conf like this.

include /etc/ldap/schema/ms.schema

Follow the steps here: Modifying the slapd Configuration Database.

Using phpLDAPadmin, add Generic: User Account, save, then edit. Add object class securityPrincipal. This will prompt you to fill out sAMAccountName. In our application we set the username part of our Kerberos principals. Then "Add new attribute" and select memberOf. Finally set the name of the group the member belongs to.

Now or app may perform the queries it needs, just as it would in production.

// Find the user
ldap_search( $ad, $basedn,"(samaccountName={$samaccountname})", array('dn;) );
// Get their groups
ldap_read( $ad, $userdn, '(objectclass=securityPrincipal)', 'memberof' );

How To Install and Configure OpenLDAP and phpLDAPadmin on Ubuntu 16.04 is an excellent article for reference.

Address Book

I've finally configured my address book the way i want it. I'm using OpenLDAP to store all of them in a central place. OpenLDAP is a server so i can access them from remote machines, like my computer at work. In addition i can allow other people access to my address book.

Today i'm spending time migrating address from Yahoo. This will take some time, but Mark just reminded me of the export feature in Yahoo. I saw this but for some reason ignored it. Maybe that's because i just migrated address from my local disk address book, via ldif, and there were still numerous discrepancies.