tags: mock

Action executed in 0.000

Each Tag

mock

Common tags - number of posts

development (1), AD (1), Active Directory (1), security (1), OpenLDAP (1), LDAP (1),

Mocking Active Directory with OpenLDAP

OpenLDAP logo

For work, our production server uses Active Directory (AD) for authentication and authorization to use our app. Users may belong to several groups to be granted access to different parts of the app. To mock this out for development I installed OpenLDAP and extended the schema enough to match what we need.

Our code queries the sAMAccountName attribute of users, which belongs to the Microsoft securityPrincipal objectClass. Instead of enabling the entire schema, which gave me errors, I enabled just the objectClass and attributes my application needs.

attributetype ( 1.2.840.113556.1.4.221
    NAME 'sAMAccountName'
    EQUALITY caseIgnoreMatch
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
    SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.102
    NAME 'memberOf'
    EQUALITY caseIgnoreMatch
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')

objectclass ( 1.2.840.113556.1.5.6
    NAME 'securityPrincipal'
    SUP top
    AUXILIARY
    MUST (sAMAccountName)
    MAY (memberOf))

This says there's attribute named sAMAccountName of type (SYNTAX) string which occurs once. Checking equality will ignore case. There's also a memberOf attribute, but it's permitted multiple times. Finally there's an objectclass called securityPrincipal which MUST contain sAMAccountName and MAY contain memberOfs.

Create this file and save it in /etc/ldap/schema/ms.schema.

Create a file schema_convert.conf like this.

include /etc/ldap/schema/ms.schema

Follow the steps here: Modifying the slapd Configuration Database.

Using phpLDAPadmin, add Generic: User Account, save, then edit. Add object class securityPrincipal. This will prompt you to fill out sAMAccountName. In our application we set the username part of our Kerberos principals. Then "Add new attribute" and select memberOf. Finally set the name of the group the member belongs to.

Now or app may perform the queries it needs, just as it would in production.

// Find the user
ldap_search( $ad, $basedn,"(samaccountName={$samaccountname})", array('dn;) );
// Get their groups
ldap_read( $ad, $userdn, '(objectclass=securityPrincipal)', 'memberof' );

How To Install and Configure OpenLDAP and phpLDAPadmin on Ubuntu 16.04 is an excellent article for reference.