[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problem with ADS authentication - any alternatives?
- To: openldap-technical@openldap.org
- Subject: Problem with ADS authentication - any alternatives?
- From: Garry Glendown <garry@glendown.de>
- Date: Mon, 12 Jul 2010 14:43:14 +0200
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1
Hi,
sorry if this is slightly off topic, but I'm hoping this may be possible
with OpenLDAP ..
After a customer of ours migrated from using a local OpenLDAP server to
using a central ADS, I've run into sort of a problem ...
One of the apps that had been using LDAP to get certain information for
a user has now got a problem as the formerly used bind with the user ID
(which was present in multiple fields, like uid, cn etc.) now fails. The
customer ADS now has the user name (in the format "First Last") in the
cn field, and as the complete dn in the dn field (with ou=...)
Now, while stuff like Cyrus works fine through looking up the correct DN
for a specified uid first and then using that DN for binding to the
database, this app still just hands over the input to ADS ... of course,
bind fails, as the supplied user ID doesn't match either DN or CN.
Of course one could just change the user name input to the full CN
contents, but as this is a customer with 600+ PCs, many of which have
the old authentication information stored locally (with the user not
necessarily being able to alter the information), this solution is only
sub-optimal.
Altering the CN field to contain the same info as the uid field is
another option, which was rejected as it is uncertain to what extent
this might cause some problems later on (in case M$ decides to do
anything nasty with the cn field).
I was thinking about creating some sort of proxy in between, that allows
authentication with the uid contents, but this won't work as I'd need
the password from the ADS entries, which I can't get ...
So I'm wondering - is there some kind of proxy that would allow me to do
something like this:
- App connects to LDAP Proxy with uid and password, sending some query
- Proxy queries ADS for the DN of the uid received
- Proxy binds to ADS with the DN and the supplied user PW, sends the
query and returns the information to the client
And while I'm at it - if the proxy were able to use two backend ADS,
this would be a definite plus ... ;)
Thanks for any feedback!
-garry