• Active Directory server in backend, store all user data, password…
  • OpenLDAP install on Ubuntu server, frontend, is a read-only LDAP service to provide users data to other server (web, app…) by using LSC to sync data, this server also use to authentication user by pass-through request to Active Directory server by using saslauthd service. OpenLDAP act as Single Sign On service.

Example user name Jenkins login process:

Install and config OpenLDAP

Note: libsasl2-modules-gssapi-mit may not need
Admin username and password: admin /  demopassword
(note that admin is default username of Admin in OpenLDAP)
Edit file /etc/ldap/ldap.conf, add:

Note: ldap-server is the hostname of server openldap installed, to change hostname in Ubuntu:

Update host file

update value:

select No
enter DNS domain name: your_ad_domain.local
enter Organization name: CompanyName
enter admin password:demopassword
Database backend to use: MDB
slapt is purged: Yes
move old database: Yes
Allow LDAPv2 protocol? No
Test Ldap is running:

View Ldap server status:

Install LSC (tool support sync data between ldap server)

add content:

Import reponsitory public key:

LSC will sync data source from Active Directory to OpenLDAP, content of lsc.xml:
  • ad-server.publicdomain.xyz is a public domain point to IP address of AD server to get data.
Source code    
You need a logback configuration in this directory:
To test is working:

To real sync, remove -n
Create a crontab run sync every 6 hours:

Use Active Directory to authentication user for LDAP (OpenLDAP pass-through):

Concept: User login, OpenLdap check user password field (userPassword), if it has format: {SASL}username@domain.xyz OpenLdap with authentication user via saslauthd service, saslauthd server with connect to AD and return the result.

OpenLDAP service account name: ‘openldap‘ – view in file /etc/default/slapd
Add OpenLDAP service account to the sasl group:

Create file /etc/saslauthd.conf, content

Restart service to update setting:

To test authentication:

 Create file /usr/lib/sasl2/slapd.conf

OpenLdap with check password field, if format {SASL}xxx… it with go to Active Directory to authentication user.
Fix Error:

To resolve:

Setting /etc/apparmor.d/usr.sbin.slapd to complain mode.