1 1.1 christos .lf 1 stdin 2 1.1 christos .TH SLAPO-REMOTEAUTH 5 "2025/05/22" "OpenLDAP 2.6.10" 3 1.1 christos .\" Copyright 1998-2024 The OpenLDAP Foundation, All Rights Reserved. 4 1.1 christos .\" Copying restrictions apply. See the COPYRIGHT file. 5 1.1 christos .\" $OpenLDAP$ 6 1.1 christos .SH NAME 7 1.1 christos slapo-remoteauth \- Delegate authentication requests to remote directories, e.g. Active Directory 8 1.1 christos .SH SYNOPSIS 9 1.1 christos /etc/openldap/slapd.conf 10 1.1 christos .SH DESCRIPTION 11 1.1 christos The 12 1.1 christos .B remoteauth 13 1.1 christos overlay to 14 1.1 christos .BR slapd (8) 15 1.1 christos provides passthrough authentication to remote directory servers, e.g. 16 1.1 christos Active Directory, for LDAP simple bind operations. The local LDAP entry 17 1.1 christos referenced in the bind operation is mapped to its counterpart in the remote 18 1.1 christos directory. An LDAP bind operation is performed against the remote directory 19 1.1 christos and results are returned based on those of the remote operation. 20 1.1 christos .LP 21 1.1 christos A slapd server configured with the 22 1.1 christos .B remoteauth 23 1.1 christos overlay handles an authentication request based on the presence of 24 1.1 christos .B userPassword 25 1.1 christos in the local entry. If the 26 1.1 christos .B userPassword 27 1.1 christos is present, authentication is performed locally, otherwise the 28 1.1 christos .B remoteauth 29 1.1 christos overlay performs the authentication request to the configured remote directory 30 1.1 christos server. 31 1.1 christos .LP 32 1.1 christos 33 1.1 christos .SH CONFIGURATION 34 1.1 christos 35 1.1 christos The following options can be applied to the 36 1.1 christos .B remoteauth 37 1.1 christos overlay within the slapd.conf file. All options should follow the 38 1.1 christos .B overlay remoteauth 39 1.1 christos directive. 40 1.1 christos 41 1.1 christos .TP 42 1.1 christos .B overlay remoteauth 43 1.1 christos This directive adds the 44 1.1 christos .B remoteauth 45 1.1 christos overlay to the current database, see 46 1.1 christos .BR slapd.conf (5) 47 1.1 christos for details. 48 1.1 christos 49 1.1 christos .TP 50 1.1 christos .B remoteauth_dn_attribute <dnattr> 51 1.1 christos Attribute in the local entry that is used to store the bind DN to a remote 52 1.1 christos directory server. 53 1.1 christos 54 1.1 christos .TP 55 1.1 christos .B remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames> 56 1.1 christos For a non-Windows deployment, a domain can be considered as a collection of 57 1.1 christos one or more hosts to which slapd server authentcates against on behalf of 58 1.1 christos authenticating users. 59 1.1 christos For a given domain name, the mapping specifies the target server(s), 60 1.1 christos e.g., Active Directory domain controller(s), to connect to via LDAP. 61 1.1 christos The second argument can be given either as a hostname, an LDAP URI, or a file 62 1.1 christos containing a list of hostnames/URIs, one per line. The hostnames are tried in 63 1.1 christos sequence until the connection succeeds. 64 1.1 christos 65 1.1 christos This option can be provided more than once to provide mapping information for 66 1.1 christos different domains. For example: 67 1.1 christos 68 1.1 christos .nf 69 1.1 christos remoteauth_mapping americas file:///path/to/americas.domain.hosts 70 1.1 christos remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts 71 1.1 christos remoteauth_mapping emea emeadc1.emea.example.com 72 1.1 christos .fi 73 1.1 christos 74 1.1 christos .TP 75 1.1 christos .B remoteauth_domain_attribute <attr> 76 1.1 christos Attribute in the local entry that specifies the domain name, any text after 77 1.1 christos "\\" or ":" is ignored. 78 1.1 christos 79 1.1 christos .TP 80 1.1 christos .B remoteauth_default_domain <default domain> 81 1.1 christos Default domain. 82 1.1 christos 83 1.1 christos 84 1.1 christos .TP 85 1.1 christos .B remoteauth_default_realm <server> 86 1.1 christos Fallback server to connect to for domains not specified in 87 1.1 christos .BR remoteauth_mapping . 88 1.1 christos 89 1.1 christos .TP 90 1.1 christos .B remoteauth_retry_count <num> 91 1.1 christos Number of connection retries attempted. Default is 3. 92 1.1 christos 93 1.1 christos .TP 94 1.1 christos .B remoteauth_store <on|off> 95 1.1 christos Whether to store the password in the local entry on successful bind. Default is 96 1.1 christos off. 97 1.1 christos 98 1.1 christos .HP 99 1.1 christos .hy 0 100 1.1 christos .B remoteauth_tls 101 1.1 christos .B [starttls=yes] 102 1.1 christos .B [tls_cert=<file>] 103 1.1 christos .B [tls_key=<file>] 104 1.1 christos .B [tls_cacert=<file>] 105 1.1 christos .B [tls_cacertdir=<path>] 106 1.1 christos .B [tls_reqcert=never|allow|try|demand] 107 1.1 christos .B [tls_reqsan=never|allow|try|demand] 108 1.1 christos .B [tls_cipher_suite=<ciphers>] 109 1.1 christos .B [tls_ecname=<names>] 110 1.1 christos .B [tls_crlcheck=none|peer|all] 111 1.1 christos .RS 112 1.1 christos Remoteauth specific TLS configuration, see 113 1.1 christos .BR slapd.conf (5) 114 1.1 christos for more details on each of the parameters and defaults. 115 1.1 christos .RE 116 1.1 christos 117 1.1 christos .TP 118 1.1 christos .B remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash> 119 1.1 christos Mapping between remote server hostnames and their public key hashes. Only one 120 1.1 christos mapping per hostname is supported and if any pins are specified, all hosts 121 1.1 christos need to be pinned. If set, pinning is in effect regardless of whether or not 122 1.1 christos certificate name validation is enabled by 123 1.1 christos .BR tls_reqcert . 124 1.1 christos 125 1.1 christos .SH EXAMPLE 126 1.1 christos A typical example configuration of 127 1.1 christos .B remoteauth 128 1.1 christos overlay for AD is shown below (as a 129 1.1 christos .BR slapd.conf (5) 130 1.1 christos snippet): 131 1.1 christos 132 1.1 christos .LP 133 1.1 christos .nf 134 1.1 christos database <database> 135 1.1 christos #... 136 1.1 christos 137 1.1 christos overlay remoteauth 138 1.1 christos remoteauth_dn_attribute seeAlso 139 1.1 christos remoteauth_domain_attribute associatedDomain 140 1.1 christos remoteauth_default_realm americas.example.com 141 1.1 christos 142 1.1 christos remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas 143 1.1 christos remoteauth_mapping emea emeadc1.emea.example.com 144 1.1 christos 145 1.1 christos remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem 146 1.1 christos remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo= 147 1.1 christos .fi 148 1.1 christos 149 1.1 christos Where seeAlso contains the AD bind DN for the user, associatedDomain contains the 150 1.1 christos Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which 151 1.1 christos anything following, including ":", is ignored. 152 1.1 christos 153 1.1 christos .SH SEE ALSO 154 1.1 christos .BR slapd.conf (5), 155 1.1 christos .BR slapd (8). 156 1.1 christos 157 1.1 christos .SH Copyrights 158 1.1 christos Copyright 2004-2024 The OpenLDAP Foundation. 159 1.1 christos Portions Copyright 2004-2017 Howard Chu, Symas Corporation. 160 1.1 christos Portions Copyright 2017-2021 Ondej Kuznk, Symas Corporation. 161 1.1 christos Portions Copyright 2004 Hewlett-Packard Company 162
Indexes created Fri May 08 00:25:09 UTC 2026