0

We're in the process of setting up a Jabber server on Amazon EC2 right now, and we'd like to have our internal users authenticate via LDAP so we don't have to create/manage a separate set of user accounts than the master directory in the office.

My question is: is there a way to copy, unidirectionally, a segment of our internal LDAP directory (the user accounts OU) to an external LDAP server and authenticate Jabber against that?

We're trying to work around having our externally hosted machines out in the cloud accessing our internal network directly... If we can replicate in one direction only a subset of the user accounts, then if that gets compromised we don't necessarily have a critical security breach into our internal network.

colemanm
  • 659
  • 5
  • 10
  • 25

3 Answers3

1

you can export part of your ldaptree with ldapsearch to an ldif file and add it too your other ldap server with ldapadd or ldapmodify.

there are also products which support automatic or semi automatic replication in one direction like the fedora directory server.

jabber can be authenticated against ldap, but i can't tell you how. perhaps someone else can answer this part.

Christian
  • 4,703
  • 2
  • 24
  • 27
  • Our main LDAP directory is on Snow Leopard Server, and I found this KB article about exporting with ldapsearch: http://support.apple.com/kb/TA24123, but I'm getting an error: "ldap_sasl_interactive_bind_s: Local error (-2)". Seems I can't query the LDAP server for any results... – colemanm Jan 12 '10 at 19:43
  • you do not get authenticated to the ldap server. the article is missing any authentication parameters. take a look at the manpage of `ldapsearch`. try it with the simple authentication method. – Christian Jan 12 '10 at 21:18
  • It worked with the "-x" switch for simple authentication, but now I'm getting a `No such object (32)` error. The command I'm running is: `sudo ldapsearch -x -LLL -H ldap://server.domain.net -b "cn=users,dc=domain,dc=net"` -- should be the correct DN for the "users" container on OS X Server... – colemanm Jan 12 '10 at 21:33
  • i don't know you ldaptree. try the search with a shorter searchstring (`dc=domain,dc=net` or `dc=net`) or access the ldaptree with a ldap browser to see the structure. – Christian Jan 12 '10 at 22:57
  • It seems like no matter what `ldapsearch` parameters I give, it still returns `No such object (32)`. Is there possibly some configuration on our Open Directory that's not set correctly? – colemanm Jan 13 '10 at 15:02
  • 1
    Open Directory may not allow anonymous queries... you might need to authenticate to the LDAP server first. Use -D to specify a user (e.g. cn=foo,dc=blah,dc=com) – James Jan 13 '10 at 15:57
  • Turned out my problem was that I omit the server name from the Base DN search... I stuck to closely to the syntax used in that Apple KB article, which doesn't show the server name in the search base. I've now got an exported .ldif file that I can move around. Thanks! – colemanm Jan 15 '10 at 15:40
0

Once you get an LDIF file created, ldapdiff (https://launchpad.net/ldapdiff) is an awesome tool for syncing changes between LDAP servers.

James
  • 7,643
  • 2
  • 24
  • 33
  • That definitely looks like something we could use once we get a proper LDIF file exported... Thanks. – colemanm Jan 13 '10 at 15:03
0

If I understand correctly, you want to "push" some accounts from your internal LDAP directory out to another directory in the cloud?

If your directory is OpenLDAP, you can set up partial replication, using a push based config. See their admin guide.

If not, you can use a synchronization tool, that will connect to your internal directory, query it for the accounts you want to push out, and connect to your directory in the cloud to update them there. Ldap Synchronization Connector (LSC) is one such tool that would do this, available as open source.

Jonathan Clarke
  • 1,667
  • 2
  • 11
  • 25