What we want to achieve is user using services like OpenVPN, webproxy, emails, file sharing, etc will only need to remember their MS AD password and they will be able to login to the corresponding services they are entitle to used. In order to do so, we will need to configure OpenLDAP on Linux to authenticate with MS AD server. OpenLDAP will contain the user information but authentication will come from MS AD.
Sent from my iPad On 18/07/10 21:08 +0600, OSHIM wrote:Hi,
I need a help from you guys.
Anyone know how to customize Squid, Dansguardian, Postfix, Samba to use OpenLDAP and let OpenLDAP authenticate the username/password with MS-AD?
When performing SASL binds against OpenLDAP, you can configure/usr/lib/sasl2/slapd.conf with:pwcheck_method: saslauthdmech_list: plain loginand configure /etc/saslauthd.conf with:ldap_servers: ldap://192.0.2.1/ ldap_use_sasl: yes ldap_mech: DIGEST-MD5 and consequently you would configure your /etc/postfix/sasl/smtpd.confwith:pwcheck_method: saslauthdmech_list: plain loginConfiguring identical contents for /etc/saslauthd.conf on your Postfixserver would authenticate directly to the MS-AD server. If you really dowish to authenticate to the OpenLDAP server and have it re-authenticate toAD, configure your /etc/saslauthd.conf with:ldap_servers: ldap://192.0.2.2/ldap_use_sasl: yesldap_mech: PLAINWhere 192.0.2.2 is the address of your slapd server. You would also want toconfigure an SSL/TLS protection layer to protect the transmission of yourpasswords to the slapd server.See Chapter 15 (Using SASL) of the OpenLDAP administrator's guide forauthz-regexp configuration that should be necessary to complete thisapproach. Also, see saslauthd/LDAP_SASLAUTHD within the cyrus sasl sourcetree for saslauthd.conf documentation. For trouble shooting, see'testsaslauthd', 'smtptest', and 'saslfinger'. The first two aredistributed with cyrus sasl, and the last is distributed by PatrickKoetter.I'm not familiar with configuring Squid, Dansguardian, and Samba in ascenario like this, but I would imagine doing what you want (proxyingauthentication via slapd) is going to get exponentially complex. It maymake more sense to have those applications authenticate directly to the ADserver.-- Dan White
|