openldap proxy to AD with TLS

slapd

#file /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information

# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
#   (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldap:/// ldaps:///"

# Any custom options
SLAPD_OPTIONS="-4"

# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

slapd.conf

#file /etc/openldap/slapd.conf
#Global Schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema


#Global options
conn_max_pending 1000
sockbuf_max_incoming 4194303
loglevel 256
sizelimit unlimited
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


#LDAP Proxy Options
modulepath /usr/lib64/openldap
moduleload back_ldap
moduleload rwm
database ldap
suffix "dc=domain,dc=local"
#subordinate
rebind-as-user yes
uri ldaps://UKADC01.domain.local,ldaps://UKADC02.domain.local
chase-referrals no
readonly yes
protocol-version 3
idassert-bind bindmethod=simple
    binddn="cn=svc_test_ad,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local"
    credentials="XxxxxxxxX"
    tls_reqcert=never
    tls_cacert=/etc/openldap/certs/ukdc2-ldapserver.pem

###############################################################
#                 OPTIONAL DATA MANIPULATION                  #
###############################################################
# more info: http://www.openldap.org/software/man.cgi?query=slapo-rwm
#Enable If there is a requirement to alter data on  the fly
#overlay                 rwm
#rwm-rewriteEngine       on
#rwm-rewriteContext default
#rwm-rewriterule "^(.+)\\\\2C(.*)" "$1\\,$2" ":"

#Enable if altered data needs a mapping to a different value
#rwm-map                 attribute       uid     sAMAccountName
#rwm-map                 attribute       mail    proxyAddresses
###############################################################

TLSVerifyClient never
#CA Certificate
TLSCACertificateFile  /etc/openldap/certs/ukdc2-ldapserver.pem
#certs for doamin ldap-proxy.aws.domain.local
TLSCertificateFile    /etc/openldap/certs/ldap-proxy.pem
TLSCertificateKeyFile /etc/openldap/certs/ldap-proxy.pem
#allow selfsigned certs
tls ldaps tls_reqcert=allow tls_cacert=/etc/openldap/certs/ukdc2-ldapserver.pem
conn-ttl 3600

verification.MD

verification command

#without SSL

$ ldapsearch -vxH ldap://10.140.0.10 -b "dc=domain,dc=local" \
  -D "cn=svc_test_ad,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local" \
  -w "XxxxxxxxxxxxX" sAMAccountName="user123"

#with SSL
$ LDAPTLS_REQCERT=never ldapsearch -vxH ldaps://10.140.0.10 -b "dc=domain,dc=local" \
  -D "cn=svc_test_ad,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local" \
  -w "XxxxxxxxxxxxX" sAMAccountName="user123"
  
$ LDAPTLS_REQCERT=never ldapsearch -vxH ldaps://ldap-proxy.aws.domain.local -b "dc=domain,dc=local" \
  -D "cn=svc_test_ocp,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local" \
  -w "XxxxxxxxxxxxX" -s sub "(&(objectCategory=user)(memberOf=CN=r-ocp-devtool-admin,OU=DOCET,OU=Admin Groups,OU=Admin,OU=Infrastructure,DC=domain,DC=local))"