1 .lf 1 stdin 2 .TH SLAPO-REMOTEAUTH 5 "2025/05/22" "OpenLDAP 2.6.10" 3 .\" Copyright 1998-2024 The OpenLDAP Foundation, All Rights Reserved. 4 .\" Copying restrictions apply. See the COPYRIGHT file. 5 .\" $OpenLDAP$ 6 .SH NAME 7 slapo-remoteauth \- Delegate authentication requests to remote directories, e.g. Active Directory 8 .SH SYNOPSIS 9 /etc/openldap/slapd.conf 10 .SH DESCRIPTION 11 The 12 .B remoteauth 13 overlay to 14 .BR slapd (8) 15 provides passthrough authentication to remote directory servers, e.g. 16 Active Directory, for LDAP simple bind operations. The local LDAP entry 17 referenced in the bind operation is mapped to its counterpart in the remote 18 directory. An LDAP bind operation is performed against the remote directory 19 and results are returned based on those of the remote operation. 20 .LP 21 A slapd server configured with the 22 .B remoteauth 23 overlay handles an authentication request based on the presence of 24 .B userPassword 25 in the local entry. If the 26 .B userPassword 27 is present, authentication is performed locally, otherwise the 28 .B remoteauth 29 overlay performs the authentication request to the configured remote directory 30 server. 31 .LP 32 33 .SH CONFIGURATION 34 35 The following options can be applied to the 36 .B remoteauth 37 overlay within the slapd.conf file. All options should follow the 38 .B overlay remoteauth 39 directive. 40 41 .TP 42 .B overlay remoteauth 43 This directive adds the 44 .B remoteauth 45 overlay to the current database, see 46 .BR slapd.conf (5) 47 for details. 48 49 .TP 50 .B remoteauth_dn_attribute <dnattr> 51 Attribute in the local entry that is used to store the bind DN to a remote 52 directory server. 53 54 .TP 55 .B remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames> 56 For a non-Windows deployment, a domain can be considered as a collection of 57 one or more hosts to which slapd server authentcates against on behalf of 58 authenticating users. 59 For a given domain name, the mapping specifies the target server(s), 60 e.g., Active Directory domain controller(s), to connect to via LDAP. 61 The second argument can be given either as a hostname, an LDAP URI, or a file 62 containing a list of hostnames/URIs, one per line. The hostnames are tried in 63 sequence until the connection succeeds. 64 65 This option can be provided more than once to provide mapping information for 66 different domains. For example: 67 68 .nf 69 remoteauth_mapping americas file:///path/to/americas.domain.hosts 70 remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts 71 remoteauth_mapping emea emeadc1.emea.example.com 72 .fi 73 74 .TP 75 .B remoteauth_domain_attribute <attr> 76 Attribute in the local entry that specifies the domain name, any text after 77 "\\" or ":" is ignored. 78 79 .TP 80 .B remoteauth_default_domain <default domain> 81 Default domain. 82 83 84 .TP 85 .B remoteauth_default_realm <server> 86 Fallback server to connect to for domains not specified in 87 .BR remoteauth_mapping . 88 89 .TP 90 .B remoteauth_retry_count <num> 91 Number of connection retries attempted. Default is 3. 92 93 .TP 94 .B remoteauth_store <on|off> 95 Whether to store the password in the local entry on successful bind. Default is 96 off. 97 98 .HP 99 .hy 0 100 .B remoteauth_tls 101 .B [starttls=yes] 102 .B [tls_cert=<file>] 103 .B [tls_key=<file>] 104 .B [tls_cacert=<file>] 105 .B [tls_cacertdir=<path>] 106 .B [tls_reqcert=never|allow|try|demand] 107 .B [tls_reqsan=never|allow|try|demand] 108 .B [tls_cipher_suite=<ciphers>] 109 .B [tls_ecname=<names>] 110 .B [tls_crlcheck=none|peer|all] 111 .RS 112 Remoteauth specific TLS configuration, see 113 .BR slapd.conf (5) 114 for more details on each of the parameters and defaults. 115 .RE 116 117 .TP 118 .B remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash> 119 Mapping between remote server hostnames and their public key hashes. Only one 120 mapping per hostname is supported and if any pins are specified, all hosts 121 need to be pinned. If set, pinning is in effect regardless of whether or not 122 certificate name validation is enabled by 123 .BR tls_reqcert . 124 125 .SH EXAMPLE 126 A typical example configuration of 127 .B remoteauth 128 overlay for AD is shown below (as a 129 .BR slapd.conf (5) 130 snippet): 131 132 .LP 133 .nf 134 database <database> 135 #... 136 137 overlay remoteauth 138 remoteauth_dn_attribute seeAlso 139 remoteauth_domain_attribute associatedDomain 140 remoteauth_default_realm americas.example.com 141 142 remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas 143 remoteauth_mapping emea emeadc1.emea.example.com 144 145 remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem 146 remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo= 147 .fi 148 149 Where seeAlso contains the AD bind DN for the user, associatedDomain contains the 150 Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which 151 anything following, including ":", is ignored. 152 153 .SH SEE ALSO 154 .BR slapd.conf (5), 155 .BR slapd (8). 156 157 .SH Copyrights 158 Copyright 2004-2024 The OpenLDAP Foundation. 159 Portions Copyright 2004-2017 Howard Chu, Symas Corporation. 160 Portions Copyright 2017-2021 Ondej Kuznk, Symas Corporation. 161 Portions Copyright 2004 Hewlett-Packard Company 162
Indexes created Fri May 08 00:25:09 UTC 2026