LDAP Read-Only with WebADM and OpenOTP
  Download PDF

How To Configure WebADM with a Read-Only Active Directory

In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database.

In this example, we will start with a Webadm server running with a local MariaDB and RCDevs Directory Server. It could be the VMWare Appliance or a new installation. We will configure it to use a read-only Active Directory server.

1. WebADM Configuration

We edit /opt/webadm/conf/webadm.conf and change webadm_account_oclasses and webadm_group_oclasses parameters. It should contain the following class:

webadm_account_oclasses "person"
webadm_group_oclasses "group", "groupOfNames", "groupOfUniqueNames", "groupOfURLs", "posixGroup"

We change also the data store to SQL:

data_store SQL

We restart WebADM:

/opt/webadm/bin/webadm restart

2. Container Creation

In WebADM, we create a container for the mount point. We click on Create, we select Domain and we click on Proceed:

screenshot

We enter a name for the domain, for example test, and we click on Proceed:

screenshot

We click on Create Object:

screenshot screenshot

3. Mount Point Creation

To create a Mount Point, click on Admin tab and click on LDAP Mount Points box:

screenshot

We click on Add MountPoint:

screenshot

We add a name and click on Proceed:

screenshot

We click on Create Object:

screenshot

We click on Select and choose the container previously created for Mount DN. Now, we add the ip address of the Active Directory server in Host Name(s) field, the port number, the tree base of the AD and AD user and password to connect to the LDAP.

Note

The AD user should have read access on the Active Directory.

We click on Apply:

screenshot screenshot

4. Local Domain Creation

Now, we create a local domain for the mount point. A local domain works only with one LDAP backend, so the default local domain works only with OpenLDAP.

We click on Admin tab and on Local Domains box:

screenshot

Click on Add Domain:

screenshot

We enter the name of the domain and click on Proceed.

screenshot

Click on Create Object:

screenshot

We select the mount point as User Search Base. We can add domain name aliases, like test.local if needed, and we click on Apply:

screenshot

It’s done:

screenshot

Now, we can try an authentication. We need to select the right local domain during the authentication. Otherwise, OpenOTP won’t be able to find the user.