[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Active Directory as ldap backend

To: "'Gary Faulkner'" <garyf@netbotz.com>, <openldap-software@OpenLDAP.org>
Subject: RE: Active Directory as ldap backend
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 31 Oct 2002 15:26:25 -0800
Importance: Normal
In-reply-to: <3DC1A218.20809@netbotz.com>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Gary Faulkner

> First problem I have is that I cannot do a search
> successfully, because
> you must authenticate against Active Directory before you can search
> users.  And, I do not see any way for the ldap backend config
> to specify
> the bind DN/password to use.  How does one do that?

slapd's back-ldap simply re-uses the Bind credentials that were used to bind
to it, so there is no need to specify credentials in the slapd.conf file.

> Secondarily, I need to be able to bind against it.  My
> question is this:
>   I'v seen alot of information about how you must use kerb5
> in order to
> authenticate against the Active Directory server.  Is this
> true?? Or is
> this just *recommended* for (obvious) security reasons?

Microsoft's documentation is in error here (or at least, grossly misleading).
You only need an encrypted session if you intend to use LDAP to change a
user's password. Furthermore, you can use either an SSL/TLS-protected simple
Bind, or a SASL/GSSAPI bind, it doesn't matter which. Currently back-ldap
only supports simple Binds, so your proxy requirement definitely limits your
options.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Active Directory as ldap backend
  - From: Gary Faulkner <garyf@netbotz.com>

Prev by Date: Re: Active Directory as ldap backend
Index(es):
- Chronological
- Thread