GLPI + AD (LDAP) behind NAT?

V

Vasily2019-09-02 12:29:08

LDAP

Vasily, 2019-09-02 12:29:08

Good afternoon!
Implementing GLPI, I have 4 domains, 1 local, 3 remote.
Brought in 4 organizations, the local domain unloads users in the necessary organization and there, respectively, there is a work with them.
And here remote domains I cannot prokinut in any way.
LDAP connection
test: Failed test: Main server companyname
Actually the question is, maybe more about AD, maybe there are subtleties that I don't know.
There is an external IP, I forward ports from it to the AD controller. I try to reach out (so far) in 2 networks. In one Pfsence gateway, in another mikrotik.
In Pfsence, I just forward LDAP (port 389, LDAP is simply selected there and that's it), I tried many ports in Mikrotik, the result is the same.
Mikrotik rules (now it's X, just turned it off, since it's not used):
0 X ;;; LDAP AD
chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=389 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=389 log=no log-prefix=""
1 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=389 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=389 log=no log-prefix=""
2 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=3268 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=3268 log=no log-prefix=""
3 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=53 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=53 log=no log-prefix=""
4 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=53 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=53 log=no log-prefix=""
5 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=3269 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=3269 log=no log-prefix=""
6 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=464 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=464 log=no log-prefix=""
7 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=464 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=464 log=no log-prefix=""
8 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=445 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=445 log=no log-prefix=""
9 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=445 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=445 log=no log-prefix=""
10 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=139 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=139 log=no log-prefix=""
11 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=138 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=138 log=no log-prefix=""
12 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=135 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=135 log=no log-prefix=""
13 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=135 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=135 log=no log-prefix=""
14 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=88 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=88 log=no log-prefix=""
15 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=88 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=88 log=no log-prefix=""
16 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=1024-5000 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=1024-5000 log=no log- prefix=""
17 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=1024-5000 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=1024-5000 log =no log-prefix=""
18 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=49152-65535 protocol=udp src-address=xxx.xxx.xxx.xxx dst-port=49152-65535 log=no log-prefix=""
19 X chain=dstnat action=dst-nat to-addresses=192.168.0.201 to-ports=49152-65535 protocol=tcp src-address=xxx.xxx.xxx.xxx dst-port=49152-65535 log=no log- prefix=""
From here you can see that I just didn’t forward, I forwarded the entire AD, and things are still there. GLPI does not see LDAP AD behind a nat (or behind a foreign nat). Does anyone have any thoughts or maybe someone did such an "organization of organizations" in GLPI? as?
Hoping for a solution or a hint where I should go. 2 days of googling gave nothing :( I
forgot the settings in GLPI. Everything is there by analogy with the domain that works
Server ldap://xxx.xxx.xxx.xxx (external ip) port 389
Connection filter (&(objectClass=user)( objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Search base (baseDN) ou=domain_users,dc=domain,
rootDN (user to connect to) [email protected] Username
field samaccountname
Thanks.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vasily, 2019-09-02
@Elektronik123

In vain created, moved...
On AD 2 network interfaces, respectively in one the address of the gateway is specified, in another is not present. I threw on that interface on which the gateway is not specified. And as we know - the interface to which you are forwarding must have the address of the gateway from which you are forwarding ...
In short, I overcame 1 organization. With Mikrotik, everything is simple. But Pfsence is not given yet, MB just didn’t throw something correctly, I didn’t work with it much ... We’ll figure it out. Thanks everyone, very helpful :)