Syncing with OpenLDAP Directory Service

Introduction

OpenLDAP is a free, open source version of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. This topic describes syncing OpenLDAP to Secret Server.

This feature is only supported by the new interface. The classic interface does not support OpenLDAP Directory Services.

Unsupported and Difficult Use Cases

Anonymous User Authentication

We do not support anonymous user authentication:

When creating an OpenLDAP directory service, "Anonymous" is a supported authentication method. When this is chosen, Secret Server connects anonymously to the OpenLDAP directory service as configured during the synchronization process and creates any users found on the directory service.

When anonymous is selected, a secondary authentication option, "User Authentication," appears, which is the method used when the synchronized users attempt to authenticate to Secret Server. In short, user authentication cannot be anonymous because Secret Server does not allow anonymous access.

The valid options for user authentication when anonymous is selected for the synchronization process are "Basic," "Kerberos," or "No Authentication." "No Authentication" supports using an OpenLDAP directory service as a user directory while enabling alternative methods of authentication, such as SAML.

Duplicate User Attributes

We do not support configurations where using different attributes yield users with the same username, GUID, or user principal name (email address format—not necessarily an actual email address). These must all be unique to each user. If a duplicate exists, it may result in odd, unpredictable behavior from the application.

OpenLDAP Password Changer Servers Using a DNS ANAME Record

Overview

Any OpenLDAP server that uses a DNS ANAME alias record in its Transport Layer Security (TLS) certificate requires an additional registry entry for the Microsoft ADSI library to successfully do a TLS handshake. For example, this problem directly impacts connections with Okta LDAP servers.

Registry Entry

The registry entry is:

(DWORD) HKLM\SYSTEM\CurrentControlSet\Services\ldap\UseHostnameAsAlias = 1

Example

We want to integrate with dev-99352743.ldap.okta.com (or any variation). We run Nslookup:

Nslookup is a command-line tool used for querying the Domain Name System (DNS) to obtain the mapping between a domain name and its IP address or other DNS records. It is commonly used to retrieve detailed information about a specified domain, which is essential for troubleshooting DNS-related problems.
Copy 
C:\Program Files\SafeNet\LunaClient>nslookup
dev-99352743.ldap.okta.com
Server: dns-cac-lb-02.rr.com
Address: 2001:1998:f00:2::1
 
Non-authoritative answer:
Name:   ok12-ldapi-6062af7f5304741c.elb.us-west-2.amazonaws.com
Addresses: 44.234.52.16
44.234.52.15
44.234.52.17
Aliases: dev-99352743.ldap.okta.com
ok12.ldap.okta.com

From this we glean:

ANAME record: dev-99352743.ldap.okta.com

CNAME record: ok12-ldapi-6062af7f5304741c.elb.us-west-2.amazonaws.com

A "non-authoritative answer" means that the answer is not fetched from the authoritative DNS server for the queried domain name. Instead, it is obtained from a DNS server that has the information in its cache or has obtained it from an authoritative server and is providing the information as a best guess.

Thus, without the registry entry, the Microsoft library connects to the CNAME, and the TLS handshake fails. With the registry entry, the Microsoft library connects to the ANAME and the TLS handshake succeeds.

Procedure

  1. Create a secret in Secret Server of type OpenLDAP Account. This sync secret is used to synchronize users and groups. It requires permission to search and view the attributes of the users and groups. If you plan on using Secret Server discovery, the account will also need permissions to scan computers on the network for accounts. Complete these parameters:

    • Domain. Example: ldap.omega.thycotic.com

    • Username. Example: cn=ldap,dc=omegaldap,dc=local

    • Password

  2. Go to Admin > Directory Services. The Directory Services page appears:

    image-20200722150331104

  3. Click the Add Domain dropdown list and select OpenLDAP Domain. The OpenLDAP popup appears:

    image-20200722150621144

  4. Type the domain's FQDN in the Fully Qualified Domain Name text box. For example: ldap.omega.thycotic.com.

  5. Type any name you desire in the Friendly Name text box.

  6. Ensure the Active check box is selected.

  7. Type the distinguished name (node path) in the Distinguished Name text box. For example: dc=omegaldap,dc=local

  8. Click the Authentication dropdown list to select either the Basic or Anonymous authentication method.

    • Basic authentication requires that valid credentials are assigned as the sync secret. Those credentials are used to authenticate to the OpenLDAP system on each sync.
    • Anonymous authentication does not require valid credentials and removes the Synchronization Secret section. Instead, it exposes a User Authentication field.
    The Kerberos authentication method probably works but has not been tested by Delinea.

  9. Basic authentication:

    1. Click the No Secret Selected link in the Synchronization Secret section. The Select Secret popup appears.
    2. Navigate to and select the secret you created earlier. The moment you click it, the popup disappears and the secret name appears in the Synchronization Secret section.

  10. Anonymous authentication: Click the User Authentication list to select Basic or No Authentication. This sets which authentication method to use when users who are synced anonymously try to authenticate:

    • Basic authentication requires valid OpenLDAP account credentials.
    • No authentication is for when customers want users synced from OpenLDAP but use authentication through another service, such as SAML. We do not support anonymous authentication for security reasons.

  11. Click to select the Use LDAPS check box if you intend to use secure LDAP.

  12. Click the Site dropdown list to select your site.

  13. Click the Multifactor Authentication dropdown list to select the desired authentication method.

  14. Click the Validate & Save button. The information is validated. If there are any connectivity issues, an error message will appear stating what field is the likely cause. If the Active check box is not selected no validation occurs. If you chose anonymous authentication, no secret is needed and no credential validation occurs; however the distinguished name and FQDN are still used. Upon a successful save, a new box appears, prompting the user to select their initial synchronization groups. If groups appear in the search box that also indicates the connection was successful.