[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using AD authentication with an external LDAP for authorization



On Monday 08 December 2008 15:15:44 Andrew Findlay wrote:
> On Mon, Dec 08, 2008 at 11:31:21AM +0000, Stefan Stefansson wrote:

>
> > 2) LDAP server would
> > delegate authentication for users it cannot authenticate to the AD
> > server but otherwise it would handle the users it knows.
>
> That may be easier - for one thing you do not need to do anything
> scary to the central AD servers. See 'Pass-Through Authentication'
> in the Admin Guide:
>
> 	http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentic
>ation
>
> In principle you could use either LDAP or Kerberos access to the
> AD domain to implement this, though I think LDAP would be easier.
>
> It is also worth looking at the contributed slapd modules, as I think
> there is one that delegates authentication to a remote AD and then
> builds a local entry if the password is OK. smbk5pwd perhaps?

No, adpwc, which is stuck in ITS (#5042).

Depending on the exact requirements, bi-directional Kerberos trusts could also 
be a solution here.

Regards,
Buchan