SLAPO-REMOTEAUTH(5) File Formats Manual SLAPO-REMOTEAUTH(5)
NAME
slapo-remoteauth - Delegate authentication requests to remote directo-
ries, e.g. Active Directory
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The remoteauth overlay to slapd(8) provides passthrough authentication
to remote directory servers, e.g. Active Directory, for LDAP simple
bind operations. The local LDAP entry referenced in the bind operation
is mapped to its counterpart in the remote directory. An LDAP bind oper-
ation is performed against the remote directory and results are returned
based on those of the remote operation.
A slapd server configured with the remoteauth overlay handles an authen-
tication request based on the presence of userPassword in the local en-
try. If the userPassword is present, authentication is performed lo-
cally, otherwise the remoteauth overlay performs the authentication re-
quest to the configured remote directory server.
CONFIGURATION
The following options can be applied to the remoteauth overlay within
the slapd.conf file. All options should follow the overlay remoteauth
directive.
overlay remoteauth
This directive adds the remoteauth overlay to the current data-
base, see slapd.conf(5) for details.
remoteauth_dn_attribute <dnattr>
Attribute in the local entry that is used to store the bind DN to
a remote directory server.
remoteauth_mapping <domain> <hostname|LDAP
URI|file:///path/to/list_of_hostnames>
For a non-Windows deployment, a domain can be considered as a
collection of one or more hosts to which slapd server authent-
cates against on behalf of authenticating users. For a given do-
main name, the mapping specifies the target server(s), e.g., Ac-
tive Directory domain controller(s), to connect to via LDAP. The
second argument can be given either as a hostname, an LDAP URI,
or a file containing a list of hostnames/URIs, one per line. The
hostnames are tried in sequence until the connection succeeds.
This option can be provided more than once to provide mapping in-
formation for different domains. For example:
remoteauth_mapping americas file:///path/to/americas.domain.hosts
remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
remoteauth_mapping emea emeadc1.emea.example.com
remoteauth_domain_attribute <attr>
Attribute in the local entry that specifies the domain name, any
text after "\" or ":" is ignored.
remoteauth_default_domain <default domain>
Default domain.
remoteauth_default_realm <server>
Fallback server to connect to for domains not specified in re-
moteauth_mapping.
remoteauth_retry_count <num>
Number of connection retries attempted. Default is 3.
remoteauth_store <on|off>
Whether to store the password in the local entry on successful
bind. Default is off.
remoteauth_tls [starttls=yes] [tls_cert=<file>] [tls_key=<file>]
[tls_cacert=<file>] [tls_cacertdir=<path>]
[tls_reqcert=never|allow|try|demand]
[tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
[tls_ecname=<names>] [tls_crlcheck=none|peer|all]
Remoteauth specific TLS configuration, see slapd.conf(5) for more
details on each of the parameters and defaults.
remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key
hash>
Mapping between remote server hostnames and their public key
hashes. Only one mapping per hostname is supported and if any
pins are specified, all hosts need to be pinned. If set, pinning
is in effect regardless of whether or not certificate name
validation is enabled by tls_reqcert.
EXAMPLE
A typical example configuration of remoteauth overlay for AD is shown
below (as a slapd.conf(5) snippet):
database <database>
#...
overlay remoteauth
remoteauth_dn_attribute seeAlso
remoteauth_domain_attribute associatedDomain
remoteauth_default_realm americas.example.com
remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
remoteauth_mapping emea emeadc1.emea.example.com
remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=
Where seeAlso contains the AD bind DN for the user, associatedDomain
contains the Windows Domain Id in the form of <NT-domain-name>:<NT-
username> in which anything following, including ":", is ignored.
SEE ALSO
slapd.conf(5), slapd(8).
Copyrights
Copyright 2004-2024 The OpenLDAP Foundation. Portions Copyright
2004-2017 Howard Chu, Symas Corporation. Portions Copyright 2017-2021
Ondřej Kuzník, Symas Corporation. Portions Copyright 2004 Hewlett-
Packard Company
OpenLDAP 2.6.10+dfsg-1 2025/05/22 SLAPO-REMOTEAUTH(5)
Generated by dwww version 1.16 on Tue Dec 16 04:55:07 CET 2025.