[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Active Directory as ldap backend



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Gary Faulkner

> First problem I have is that I cannot do a search
> successfully, because
> you must authenticate against Active Directory before you can search
> users.  And, I do not see any way for the ldap backend config
> to specify
> the bind DN/password to use.  How does one do that?

slapd's back-ldap simply re-uses the Bind credentials that were used to bind
to it, so there is no need to specify credentials in the slapd.conf file.

> Secondarily, I need to be able to bind against it.  My
> question is this:
>   I'v seen alot of information about how you must use kerb5
> in order to
> authenticate against the Active Directory server.  Is this
> true?? Or is
> this just *recommended* for (obvious) security reasons?

Microsoft's documentation is in error here (or at least, grossly misleading).
You only need an encrypted session if you intend to use LDAP to change a
user's password. Furthermore, you can use either an SSL/TLS-protected simple
Bind, or a SASL/GSSAPI bind, it doesn't matter which. Currently back-ldap
only supports simple Binds, so your proxy requirement definitely limits your
options.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support