Multi-Tenant LDAP

[rbicelli]

Hello! I was testing Matrix-Synapse with mxisd but I stopped tests because my requirements are tied tied multiple LDAP Servers (Different Active Directory Domains with trust relationships) Is ma1sd capable to authenticate across different ldap servers?
Thanks

[piezza]

Yes, that works really nice. You need to have global catalog enabled on your DC (listens usually on port 3268, only in GC you will see the whole forrest). Then you can add multiple baseDn:

ldap:
  enabled: true
  connection:
    host: 'dc.local'
    port: 3268
    baseDNs:
      - 'OU=intern,DC=company1,DC=loc'
      - 'OU=intern,DC=company2,DC=loc'
 attribute:
      uid:
        type: 'uid'
        value: 'sAMAccountName'
      name: 'cn'

On our setup the sAMAccountName are unique over all Domains. If this isn't the case at your setup maybe you need to setup some rules to rewrite the uid in ma1sd.

[rbicelli]

My setup is trusted domain with multiple forests, so I have independent LDAP Servers.

[piezza]

I really wonder how you handle other applications which need cross domain user authentication over LDAP. In general you install a global catalog and do all binds and searches over this service then. Global catalog should mirror all objects in your AD Forrests trust if configured properly.

[rbicelli]

In applications we use (dovecot, sogo, nextcloud) is possible to add multiple authentications sources, one per domain. Will try the global catalog way and report here if it works for my particular setup. Thanks!

[rbicelli]

I adjusted the trust relationships by making them bidirectional. No matter what I do I cannot login. My settings:

ldap:
  enabled: true
  lookup: true
  connection:
    host: 'dc.domain0.ad'
    port: 3268
    bindDn: '...bind DN'
    bindPassword: '.. bind pw'
    baseDNs:
      - 'DC=domain0,DC=ad'
      - 'DC=ddomain1,DC=ad'
      - 'DC=domain2,DC=ad'
    attribute:
      uid:
        type: 'uid'
        value: 'sAMAccountName'
      name: 'displayName'
      threepid:
        email:
          - 'mail'
        msisdn:
          - 'phone'
          - 'mobile'

When tracing LDAP packets I see query performed on both three domains but lookup returns 0 results, even if entry exists. Search is performed with filter (sAMAccountName=username).

In logs I see Jul 20 14:57:22 riotim ma1sd[84537]: [XNIO-1 task-1] INFO io.kamax.mxisd.http.undertow.handler.auth.RestAuthHandler - Requested to check credentials for @username:mtx.mydomain and Jul 20 14:57:23 riotim ma1sd[84537]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - No match were found for @username:mtx.mydomain

[piezza]

And sAMAccountName is correct? Have you tried to connect with a LDAP client (e.g. http://www.ldapadmin.org) to your GC with the bind user credentials and try if you can access the user entries and also if the search works there? (in LDAPAdmin, if you select the root as BaseDN ('DC=ad' for your example above), then you should see all BaseDNs and be able to browse full forrest).

[rbicelli]

sAMAccount name is correct. Tried with ldapsearch the response is:

# extended LDIF                                                                                
# 
# LDAPv3 
# base <dc=domain1,dc=ad> with scope subtree
# filter: (objectclass=*)
# requesting: ALL 
# 

# search result
search: 2
result: 10 Referral
text: 0000202B: RefErr: DSID-03100835, data 0, 1 access points
        ref 1: 'domain1.ad'

ref: ldap://domain1.ad/dc=domain1,dc=ad
# numResponses: 1                 

Same result grabbing packets on via tpdump. It returns a referral but no search on the referenced domain is performed. Maybe some setting on active directory side is missing?

[rbicelli]

I think what I'm trying to accomplish isn't feasible without multiple LDAP sources of authentication. My setup is Multi Domain/Multi Forest. Global Catalog works only in Single Forest deployments.

[piezza]

Please leave base empty when using ldapsearch in first tests. Maybe your base is wrong. When the server doesn't know the given base, it will respond with a referral.

In next step you can look what domains the server has replicated with:

ldapsearch -h adserver.loc -p 3268 -x -D 'CN=ldapbind,...' -w Password "(objectClass=domain)"

In our setup we have two forrests with two independent domains (but with bi-directional trust) and this works without problems on the GC.

[rbicelli]

The base is correct. Without base an filtering with (objectClass=domain) search returns a single object.