From Michael's Information Zone
Jump to navigation Jump to search

Active Directory LDAP Proxy


To proxy secure LDAP requests from the internet to MS AD.


CentOS 7

On a clean install with epel-release installed (not needed, but it is part of my initial setup script)

yum -y install openldap openldap-servers
cat <<EOF >>/etc/openldap/slapd.conf

moduleload              back_ldap

include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/nis.schema
include                 /etc/openldap/schema/inetorgperson.schema

pidfile                 /var/run/openldap/
argsfile                /var/run/openldap/slapd.args

sizelimit               unlimited

idletimeout             3600
writetimeout            600

database                ldap
suffix                  "dc=your,dc=tld"
uri                     "ldap://domaincontroller"
chase-referrals         no
idassert-bind           bindmethod=simple

logfile                 /var/log/slapd.log
loglevel                1

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
systemctl enable slapd
systemctl start slapd
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

When finished, you can query the OpenLDAP but must authenticate in the process. In this configuration it does not allow for anonymous binds, which is a good thing.

ldapsearch -v -x -h <openldap ip/FQDN> -D "cn=binduser,ou=Users,DC=your,DC=tld" -w password -b OU=Users,DC=your,DC=tld


Edit /etc/sysconfig/slapd and update to take secure connections, install certificates, Restart services[1]

sed -i 's/SLAPD_URLS=\"ldapi:\/\/\/\ ldap:\/\/\/\"/SLAPD_URLS=\"ldapi:\/\/\/\ ldaps:\/\/\/\"/' /etc/sysconfig/slapd


  • Interesting YouTube Video that covers everything except enabling TLS[2]
  • openLDAP as proxy to Active Directory as stated by SAMBA[3]
  • A guide by[4]
  • Possible howto on enabling TLS[5]
  • Here is someone that has already gone through the work for me. Will be working off of this how-to.[6]