Commit 34b95c52 authored by Ondřej Kuzník's avatar Ondřej Kuzník Committed by Quanah Gibson-Mount

ITS#9438 Add remoteauth overlay

parent 0c2ba041
Pipeline #1803 passed with stage
in 30 minutes and 58 seconds
......@@ -353,6 +353,7 @@ Overlays="accesslog \
ppolicy \
proxycache \
refint \
remoteauth \
retcode \
rwm \
seqmod \
......@@ -393,6 +394,8 @@ OL_ARG_ENABLE(proxycache, [AS_HELP_STRING([--enable-proxycache], [Proxy Cache ov
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(refint, [AS_HELP_STRING([--enable-refint], [Referential Integrity overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(remoteauth, [AS_HELP_STRING([--enable-remoteauth], [Deferred Authentication overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(retcode, [AS_HELP_STRING([--enable-retcode], [Return Code testing overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(rwm, [AS_HELP_STRING([--enable-rwm], [Rewrite/Remap overlay])],
......@@ -569,6 +572,7 @@ BUILD_MEMBEROF=no
BUILD_PPOLICY=no
BUILD_PROXYCACHE=no
BUILD_REFINT=no
BUILD_REMOTEAUTH=no
BUILD_RETCODE=no
BUILD_RWM=no
BUILD_SEQMOD=no
......@@ -2861,6 +2865,18 @@ if test "$ol_enable_refint" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_REFINT,$MFLAG,[define for Referential Integrity overlay])
fi
if test "$ol_enable_remoteauth" != no ; then
BUILD_REMOTEAUTH=$ol_enable_remoteauth
if test "$ol_enable_remoteauth" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS remoteauth.la"
else
MFLAG=SLAPD_MOD_STATIC
SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS remoteauth.o"
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_REMOTEAUTH,$MFLAG,[define for Deferred Authentication overlay])
fi
if test "$ol_enable_retcode" != no ; then
BUILD_RETCODE=$ol_enable_retcode
if test "$ol_enable_retcode" = mod ; then
......@@ -3033,6 +3049,7 @@ dnl overlays
AC_SUBST(BUILD_PPOLICY)
AC_SUBST(BUILD_PROXYCACHE)
AC_SUBST(BUILD_REFINT)
AC_SUBST(BUILD_REMOTEAUTH)
AC_SUBST(BUILD_RETCODE)
AC_SUBST(BUILD_RWM)
AC_SUBST(BUILD_SEQMOD)
......
.TH SLAPO-REMOTEAUTH 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-remoteauth \- Delegate authentication requests to remote directories, e.g. Active Directory
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B remoteauth
overlay to
.BR slapd (8)
provides passthrough authentication to remote directory servers, e.g.
Active Directory, for LDAP simple bind operations. The local LDAP entry
referenced in the bind operation is mapped to its counterpart in the remote
directory. An LDAP bind operation is performed against the remote directory
and results are returned based on those of the remote operation.
.LP
A slapd server configured with the
.B remoteauth
overlay handles an authentication request based on the presence of
.B userPassword
in the local entry. If the
.B userPassword
is present, authentication is performed locally, otherwise the
.B remoteauth
overlay performs the authentication request to the configured remote directory
server.
.LP
.SH CONFIGURATION
The following options can be applied to the
.B remoteauth
overlay within the slapd.conf file. All options should follow the
.B overlay remoteauth
directive.
.TP
.B overlay remoteauth
This directive adds the
.B remoteauth
overlay to the current database, see
.BR slapd.conf (5)
for details.
.TP
.B remoteauth_dn_attribute <dnattr>
Attribute in the local entry that is used to store the bind DN to a remote
directory server.
.TP
.B remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames>
For a non-Windows deployment, a domain can be considered as a collection of
one or more hosts to which slapd server authentcates against on behalf of
authenticating users.
For a given domain name, the mapping specifies the target server(s),
e.g., Active Directory domain controller(s), to connect to via LDAP.
The second argument can be given either as a hostname, an LDAP URI, or a file
containing a list of hostnames/URIs, one per line. The hostnames are tried in
sequence until the connection succeeds.
This option can be provided more than once to provide mapping information for
different domains. For example:
.nf
remoteauth_mapping americas file:///path/to/americas.domain.hosts
remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
remoteauth_mapping emea emeadc1.emea.example.com
.fi
.TP
.B remoteauth_domain_attribute <attr>
Attribute in the local entry that specifies the domain name, any text after
"\\" or ":" is ignored.
.TP
.B remoteauth_default_domain <default domain>
Default domain.
.TP
.B remoteauth_default_realm <server>
Fallback server to connect to for domains not specified in
.BR remoteauth_mapping .
.TP
.B remoteauth_retry_count <num>
Number of connection retries attempted. Default is 3.
.TP
.B remoteauth_store <on|off>
Whether to store the password in the local entry on successful bind. Default is
off.
.HP
.hy 0
.B remoteauth_tls
.B [starttls=yes]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.RS
Remoteauth specific TLS configuration, see
.BR slapd.conf (5)
for more details on each of the parameters and defaults.
.RE
.TP
.B remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash>
Mapping between remote server hostnames and their public key hashes. Only one
mapping per hostname is supported and if any pins are specified, all hosts
need to be pinned. If set, pinning is in effect regardless of whether or not
certificate name validation is enabled by
.BR tls_reqcert .
.SH EXAMPLE
A typical example configuration of
.B remoteauth
overlay for AD is shown below (as a
.BR slapd.conf (5)
snippet):
.LP
.nf
database <database>
#...
overlay remoteauth
remoteauth_dn_attribute seeAlso
remoteauth_domain_attribute associatedDomain
remoteauth_default_realm americas.example.com
remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
remoteauth_mapping emea emeadc1.emea.example.com
remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=
.fi
Where seeAlso contains the AD bind DN for the user, associatedDomain contains the
Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which
anything following, including ":", is ignored.
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
.SH Copyrights
Copyright 2004-2021 The OpenLDAP Foundation.
Portions Copyright 2004-2017 Howard Chu, Symas Corporation.
Portions Copyright 2017-2021 Ondřej Kuzník, Symas Corporation.
Portions Copyright 2004 Hewlett-Packard Company
......@@ -283,6 +283,8 @@ static OidRec OidMacros[] = {
* OLcfgOv{Oc|At}:19 -> collect
* OLcfgOv{Oc|At}:20 -> retcode
* OLcfgOv{Oc|At}:21 -> sssvlv
* OLcfgOv{Oc|At}:22 -> autoca
* OLcfgOv{Oc|At}:24 -> remoteauth
*/
/* alphabetical ordering */
......
......@@ -27,6 +27,7 @@ SRCS = overlays.c \
collect.c \
ppolicy.c \
refint.c \
remoteauth.c \
retcode.c \
rwm.c rwmconf.c rwmdn.c rwmmap.c \
seqmod.c \
......@@ -102,6 +103,9 @@ ppolicy.la : ppolicy.lo
refint.la : refint.lo
$(LTLINK_MOD) -module -o $@ refint.lo version.lo $(LINK_LIBS)
remoteauth.la : remoteauth.lo
$(LTLINK_MOD) -module -o $@ remoteauth.lo version.lo $(LINK_LIBS)
retcode.la : retcode.lo
$(LTLINK_MOD) -module -o $@ retcode.lo version.lo $(LINK_LIBS)
......
This diff is collapsed.
dn: olcOverlay={0}remoteauth,olcDatabase={1}@BACKEND@,cn=config
objectClass: olcOverlayConfig
objectclass: olcRemoteAuthCfg
olcOverlay: {0}remoteauth
olcRemoteAuthRetryCount: 3
olcRemoteAuthTLS: starttls=critical
tls_cert="@TESTDIR@/tls/certs/localhost.crt"
tls_key="@TESTDIR@/tls/private/localhost.key"
tls_cacert="@TESTDIR@/tls/ca/certs/testsuiteCA.crt"
tls_reqcert=demand tls_reqsan=allow
#openssl# tls_crlcheck=none
olcRemoteAuthDNAttribute: seeAlso
olcRemoteAuthDomainAttribute: o
olcRemoteAuthDefaultDomain: default
olcRemoteAuthDefaultRealm: @SURIP3@
olcRemoteAuthStore: FALSE
olcRemoteAuthMapping: default file://@TESTDIR@/default_domain
olcRemoteAuthMapping: working_ldaps @SURIP3@
olcRemoteAuthMapping: failing_ldaps @SURIP2@
olcRemoteAuthMapping: self @URIP1@
ldap://we/should/not/be/able/to/connect/to
@SURIP2@
@SURIP3@
overlay remoteauth
# defaults
#remoteauth_retry_count 3
#remoteauth_store off
remoteauth_tls starttls=critical
tls_cert=@TESTDIR@/tls/certs/localhost.crt
tls_key=@TESTDIR@/tls/private/localhost.key
tls_cacert=@TESTDIR@/tls/ca/certs/testsuiteCA.crt
remoteauth_dn_attribute seeAlso
remoteauth_domain_attribute o
remoteauth_default_domain default
remoteauth_default_realm @SURIP3@
# It's a trap! (ehm... stack) cn=config entries will be emitted in reverse order
remoteauth_mapping self @URIP1@
remoteauth_mapping failing_ldaps @SURIP2@
remoteauth_mapping working_ldaps @SURIP3@
remoteauth_mapping default file://@TESTDIR@/default_domain
......@@ -49,6 +49,7 @@ AC_memberof=memberof@BUILD_MEMBEROF@
AC_pcache=pcache@BUILD_PROXYCACHE@
AC_ppolicy=ppolicy@BUILD_PPOLICY@
AC_refint=refint@BUILD_REFINT@
AC_remoteauth=remoteauth@BUILD_REMOTEAUTH@
AC_retcode=retcode@BUILD_RETCODE@
AC_translucent=translucent@BUILD_TRANSLUCENT@
AC_unique=unique@BUILD_UNIQUE@
......@@ -75,8 +76,9 @@ if test "${AC_asyncmeta}" = "asyncmetamod" && test "${AC_LIBS_DYNAMIC}" = "stati
AC_meta="asyncmetano"
fi
export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_perl AC_relay AC_sql \
AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof AC_pcache AC_ppolicy \
AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof \
AC_pcache AC_ppolicy AC_refint AC_remoteauth \
AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
AC_valsort \
AC_lloadd \
AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \
......
......@@ -43,6 +43,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s/^#${AC_ppolicy}#//" \
-e "s/^#${AC_refint}#//" \
-e "s/^#${AC_retcode}#//" \
-e "s/^#${AC_remoteauth}#//" \
-e "s/^#${AC_rwm}#//" \
-e "s/^#${AC_syncprov}#//" \
-e "s/^#${AC_translucent}#//" \
......
......@@ -37,6 +37,7 @@ MEMBEROF=${AC_memberof-memberofno}
PROXYCACHE=${AC_pcache-pcacheno}
PPOLICY=${AC_ppolicy-ppolicyno}
REFINT=${AC_refint-refintno}
REMOTEAUTH=${AC_remoteauth-remoteauthno}
RETCODE=${AC_retcode-retcodeno}
RWM=${AC_rwm-rwmno}
SYNCPROV=${AC_syncprov-syncprovno}
......
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2016-2021 Ondřej Kuzník, Symas Corp.
## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
if test $WITH_TLS = no ; then
echo "TLS support not available, test skipped"
exit 0
fi
if test $REMOTEAUTH = remoteauthno; then
echo "RemoteAuth overlay not available, test skipped"
exit 0
fi
mkdir -p $TESTDIR $DBDIR1 $DBDIR2 $TESTDIR/confdir
cp -r $DATADIR/tls $TESTDIR
. $CONFFILTER < $DATADIR/remoteauth/default_domain > $TESTDIR/default_domain
. $CONFFILTER $BACKEND < $TLSCONF > $CONF1
$SLAPPASSWD -g -n >$CONFIGPWF
echo "database config" >>$CONF1
echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >>$CONF1
echo "TLSCACertificateFile $TESTDIR/tls/ca/certs/testsuiteCA.crt" >>$CONF1
$SLAPD -Tt -n 0 -f $CONF1 -F $TESTDIR/confdir -d $LVL > $LOG1 2>&1
RC=$?
if test $RC != 0 ; then
echo "slaptest failed ($RC)!"
exit $RC
fi
echo -n "Running slapadd to build slapd database... "
$SLAPADD -F $TESTDIR/confdir -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
exit $RC
fi
echo "DB tweaks..."
$SLAPMODIFY -f $CONF1 >>$LOG1 2>&1 <<EOMODS
dn: $MELLIOTDN
changetype: modify
add: o
o: self
-
replace: seeAlso
seeAlso: $BJORNSDN
dn: $JOHNDDN
changetype: modify
replace: seeAlso
seeAlso: $BJORNSDN
EOMODS
RC=$?
if test $RC != 0 ; then
echo "slapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Starting slapd on TCP/IP port $PORT1 for configuration..."
$SLAPD -f $CONF1 -F $TESTDIR/confdir -h $URI1 -d $LVL > $LOG1 2>&1 &
REMOTEAUTH_PID=$!
if test $WAIT != 0 ; then
echo REMOTEAUTH_PID $REMOTEAUTH_PID
read foo
fi
KILLPIDS="$REMOTEAUTH_PID"
sleep $SLEEP0
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting ${SLEEP1} seconds for slapd to start..."
sleep ${SLEEP1}
done
if [ "$REMOTEAUTH" = remoteauthmod ]; then
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF \
>> $TESTOUT 2>&1 <<EOMOD
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/overlays
olcModuleLoad: remoteauth.la
EOMOD
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
fi
echo "Loading test remoteauth configuration..."
. $CONFFILTER $BACKEND < $DATADIR/remoteauth/config.ldif | \
$LDAPADD -v -D cn=config -H $URI1 -y $CONFIGPWF \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "Preparing second server on $URI2 and $SURIP3... "
. $CONFFILTER $BACKEND < $TLSCONF | sed -e "s,$DBDIR1,$DBDIR2," > $CONF2
echo -n "loading data... "
$SLAPADD -f $CONF2 -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "tweaking DB contents... "
$SLAPMODIFY -f $CONF2 >>$LOG2 2>&1 <<EOMODS
dn: $BJORNSDN
changetype: modify
replace: userPassword
userPassword: bjorn2
EOMODS
RC=$?
if test $RC != 0 ; then
echo "slapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "starting up... "
$SLAPD -f $CONF2 -h "$URI2 $SURIP3" -d $LVL > $LOG2 2>&1 &
BACKEND_PID=$!
if test $WAIT != 0 ; then
echo BACKEND_PID $BACKEND_PID
read foo
fi
KILLPIDS="$KILLPIDS $BACKEND_PID"
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting ${SLEEP1} seconds for slapd to start..."
sleep ${SLEEP1}
done
if test $RC != 0 ; then
echo "failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
. $CONFFILTER $BACKEND < $TLSCONF > $CONF1
echo "TLSCACertificateFile $TESTDIR/tls/ca/certs/testsuiteCA.crt" >>$CONF1
echo "database config" >>$CONF1
echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >>$CONF1
# We check basic remoteauth operation and generated configuration in these
# circumstances:
# 1. configured online through cn=config (what we set up above)
# 2. the server from 1. restarted (loading from cn=config on startup)
# 3. configured and started through a slapd.conf
#
# All of the above should present the same behaviour and cn=config output
echo "Saving generated config before server restart..."
echo "# search output from dynamically configured server..." >> $SERVER1OUT
$LDAPSEARCH -D cn=config -H $URI1 -y $CONFIGPWF \
-b "olcOverlay={0}remoteauth,olcDatabase={1}$BACKEND,cn=config" \
>> $SERVER1OUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "Checking bind handling... "
$LDAPWHOAMI -H $URI1 -x -D "$BJORNSDN" -w bjorn >/dev/null
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "1 "
$LDAPWHOAMI -H $URI1 -x -D "$JOHNDDN" -w bjorn2 >/dev/null
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "2 "
$LDAPWHOAMI -H $URI1 -x -D "$MELLIOTDN" -w bjorn >/dev/null
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "3 "
echo "ok"
echo "Stopping slapd on TCP/IP port $PORT1..."
kill -HUP $REMOTEAUTH_PID
KILLPIDS="$BACKEND_PID"
sleep $SLEEP0
echo "Starting slapd on TCP/IP port $PORT1..."
$SLAPD -F $TESTDIR/confdir -h $URI1 -d $LVL >> $LOG1 2>&1 &
REMOTEAUTH_PID=$!
if test $WAIT != 0 ; then
echo REMOTEAUTH_PID $REMOTEAUTH_PID
read foo
fi
KILLPIDS="$KILLPIDS $REMOTEAUTH_PID"
sleep $SLEEP0
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting ${SLEEP1} seconds for slapd to start..."
sleep ${SLEEP1}
done
echo "Saving generated config after server restart..."
echo "# search output from dynamically configured server after restart..." >> $SERVER2OUT
$LDAPSEARCH -D cn=config -H $URI1 -y $CONFIGPWF \
-b "olcOverlay={0}remoteauth,olcDatabase={1}$BACKEND,cn=config" \
>> $SERVER2OUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "Checking bind handling... "
$LDAPWHOAMI -H $URI1 -x -D "$BJORNSDN" -w bjorn >/dev/null
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "1 "
$LDAPWHOAMI -H $URI1 -x -D "$JOHNDDN" -w bjorn2 >/dev/null
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo -n "2 "
$LDAPWHOAMI -H $URI1 -x -D "$MELLIOTDN" -w bjorn >/dev/null
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS