[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Active Directory as ldap backend
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Gary Faulkner
> First problem I have is that I cannot do a search
> successfully, because
> you must authenticate against Active Directory before you can search
> users. And, I do not see any way for the ldap backend config
> to specify
> the bind DN/password to use. How does one do that?
slapd's back-ldap simply re-uses the Bind credentials that were used to bind
to it, so there is no need to specify credentials in the slapd.conf file.
> Secondarily, I need to be able to bind against it. My
> question is this:
> I'v seen alot of information about how you must use kerb5
> in order to
> authenticate against the Active Directory server. Is this
> true?? Or is
> this just *recommended* for (obvious) security reasons?
Microsoft's documentation is in error here (or at least, grossly misleading).
You only need an encrypted session if you intend to use LDAP to change a
user's password. Furthermore, you can use either an SSL/TLS-protected simple
Bind, or a SASL/GSSAPI bind, it doesn't matter which. Currently back-ldap
only supports simple Binds, so your proxy requirement definitely limits your
options.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support