Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SLAPO-REMOTEAUTH(5)	      File Formats Manual	   SLAPO-REMOTEAUTH(5)

NAME
       slapo-remoteauth	 - Delegate authentication requests to remote directo-
       ries, e.g. Active Directory

SYNOPSIS
       /usr/local/etc/openldap/slapd.conf

DESCRIPTION
       The remoteauth overlay to slapd(8) provides passthrough	authentication
       to  remote  directory  servers, e.g.  Active Directory, for LDAP	simple
       bind operations.	The local LDAP entry referenced	in the bind  operation
       is  mapped to its counterpart in	the remote directory. An LDAP bind op-
       eration is performed against the	remote directory and results  are  re-
       turned based on those of	the remote operation.

       A  slapd	 server	 configured with the remoteauth	overlay	handles	an au-
       thentication request based on the presence of userPassword in the local
       entry. If the userPassword is present, authentication is	performed  lo-
       cally, otherwise	the remoteauth overlay performs	the authentication re-
       quest to	the configured remote directory	server.

CONFIGURATION
       The  following  options can be applied to the remoteauth	overlay	within
       the slapd.conf file. All	options	should follow the  overlay  remoteauth
       directive.

       overlay remoteauth
	      This  directive adds the remoteauth overlay to the current data-
	      base, see	slapd.conf(5) for details.

       remoteauth_dn_attribute <dnattr>
	      Attribute	in the local entry that	is used	to store the  bind  DN
	      to a remote directory server.

       remoteauth_mapping <domain> <hostname|LDAP
       URI|file:///path/to/list_of_hostnames>
	      For  a  non-Windows  deployment, a domain	can be considered as a
	      collection of one	or more	hosts to which slapd  server  authent-
	      cates  against  on  behalf of authenticating users.  For a given
	      domain name, the mapping specifies the target  server(s),	 e.g.,
	      Active  Directory	 domain	controller(s), to connect to via LDAP.
	      The second argument can be given either as a hostname,  an  LDAP
	      URI,  or	a  file	 containing  a list of hostnames/URIs, one per
	      line. The	hostnames are tried in sequence	until  the  connection
	      succeeds.

	      This  option  can	 be provided more than once to provide mapping
	      information for different	domains. For example:

		  remoteauth_mapping americas file:///path/to/americas.domain.hosts
		  remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
		  remoteauth_mapping emea emeadc1.emea.example.com

       remoteauth_domain_attribute <attr>
	      Attribute	in the local entry that	specifies the domain name, any
	      text after "\" or	":" is ignored.

       remoteauth_default_domain <default domain>
	      Default domain.

       remoteauth_default_realm	<server>
	      Fallback server to connect to for	domains	not specified  in  re-
	      moteauth_mapping.

       remoteauth_retry_count <num>
	      Number of	connection retries attempted. Default is 3.

       remoteauth_store	<on|off>
	      Whether  to  store the password in the local entry on successful
	      bind. Default is off.

       remoteauth_tls	[starttls=yes]	 [tls_cert=<file>]    [tls_key=<file>]
	      [tls_cacert=<file>]			[tls_cacertdir=<path>]
	      [tls_reqcert=never|allow|try|demand]
	      [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
	      [tls_ecname=<names>] [tls_crlcheck=none|peer|all]
	      Remoteauth specific TLS  configuration,  see  slapd.conf(5)  for
	      more details on each of the parameters and defaults.

       remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key
       hash>
	      Mapping  between	remote	server	hostnames and their public key
	      hashes. Only one mapping per hostname is supported  and  if  any
	      pins are specified, all hosts need to be pinned. If set, pinning
	      is  in  effect  regardless  of  whether  or not certificate name
	      validation is enabled by tls_reqcert.

EXAMPLE
       A typical example configuration of remoteauth overlay for AD  is	 shown
       below (as a slapd.conf(5) snippet):

	  database <database>
	  #...

	  overlay remoteauth
	  remoteauth_dn_attribute seeAlso
	  remoteauth_domain_attribute associatedDomain
	  remoteauth_default_realm americas.example.com

	  remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
	  remoteauth_mapping emea emeadc1.emea.example.com

	  remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
	  remoteauth_tls_peerkey_hash ldap.americas.tld	sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=

       Where  seeAlso  contains	 the AD	bind DN	for the	user, associatedDomain
       contains	the Windows Domain Id in  the  form  of	 <NT-domain-name>:<NT-
       username> in which anything following, including	":", is	ignored.

SEE ALSO
       slapd.conf(5), slapd(8).

Copyrights
       Copyright   2004-2024  The  OpenLDAP  Foundation.   Portions  Copyright
       2004-2017 Howard	Chu, Symas Corporation.	 Portions Copyright  2017-2021
       Ondej  Kuznk,  Symas  Corporation.   Portions  Copyright	 2004 Hewlett-
       Packard Company

OpenLDAP 2.6.9			  2024/11/26		   SLAPO-REMOTEAUTH(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=slapo-remoteauth&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>

home | help