[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using AD authentication with an external LDAP for authorization
On Monday 08 December 2008 15:15:44 Andrew Findlay wrote:
> On Mon, Dec 08, 2008 at 11:31:21AM +0000, Stefan Stefansson wrote:
>
> > 2) LDAP server would
> > delegate authentication for users it cannot authenticate to the AD
> > server but otherwise it would handle the users it knows.
>
> That may be easier - for one thing you do not need to do anything
> scary to the central AD servers. See 'Pass-Through Authentication'
> in the Admin Guide:
>
> http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentic
>ation
>
> In principle you could use either LDAP or Kerberos access to the
> AD domain to implement this, though I think LDAP would be easier.
>
> It is also worth looking at the contributed slapd modules, as I think
> there is one that delegates authentication to a remote AD and then
> builds a local entry if the password is OK. smbk5pwd perhaps?
No, adpwc, which is stuck in ITS (#5042).
Depending on the exact requirements, bi-directional Kerberos trusts could also
be a solution here.
Regards,
Buchan