[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proxy to Active Directory

To: openldap-technical@openldap.org
Subject: Re: Proxy to Active Directory
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 29 Aug 2008 17:54:43 +0200
Cc: Michael StrÃder <michael@stroeder.com>
Content-disposition: inline
In-reply-to: <48B81050.1010308@stroeder.com>
References: <CEA10EAB0E62504AB36FC91B793108EFF5810335DB@PHEXVS01.internal.phg.com.au> <200808291646.06580.bgmilne@staff.telkomsa.net> <48B81050.1010308@stroeder.com>
User-agent: KMail/1.10.0 (Linux/2.6.26.3-desktop-1mnb; KDE/4.1.0; x86_64; ; )

On Friday 29 August 2008 17:05:52 Michael StrÃder wrote:
> Buchan Milne wrote:
> > There is a feature hidden in ITS that would provide a better solution,

(depending on your requirements)

> > allowing for authentication to still work if/when AD is unavailable (due
> > to network issue, firewall issue etc.).
> >
> > http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042
>
> The problem with this approach is that it stores a copy of the password
> within OpenLDAP. Depending on the security policy that's maybe not what
> one wants.

But, the operational policy may require it .... the OpenLDAP administrator is 
the only person who can make/implement that decision, I don't see a reason to 
prevent the administrator from doing this. It is better than a clear-text 
simple bind using the {SASL} feature (which would expose the cleartext 
password that you are trying to protect).

Regards,
Buchan

References:
- RE: Proxy to Active Directory
  - From: Nazeeruddin Mohammad <nazeerm@phg.com.au>
- Re: Proxy to Active Directory
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: Proxy to Active Directory
  - From: Michael StrÃder <michael@stroeder.com>

Prev by Date: Re: Proxy to Active Directory
Next by Date: Syncrepl question
Index(es):
- Chronological
- Thread