[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Pass-Through authentication
Jonathan and all,
Need your support ..... what should be the configuration of
saslauthd.conf in the case where I have a slapd.conf configuration where
I use a back-meta to aggregate different hdb databases that are
synchronized against AD Domain Controllers.
Paulo
-----Original Message-----
From: Paulo Jorge N. Correia (paucorre)
Sent: Tuesday, November 16, 2010 7:01 PM
To: Jonathan Clarke; openldap-technical@openldap.org
Subject: RE: Pass-Through authentication
Johanathan,
I decide to follow both of the options, and test which one is better :)
:
1 - back-meta
2 - change the saslauthd from ldap to Kerberos
Regarding back meta I need help :( In the slapd.conf I have an database
created for back-meta..... ( strange thing is that it didn't worked when
I create a separate conf file per each database "include
/etc/openldap/slapd_domain1.conf", only working if I add all the
database in the same file as showed below ) No what should I configure
in the saslauthd.conf file..... if I direct ldap_servers how does it
know which AD is associated with each user ?
________________________________________________________________________
___
[root@openam-ldap openldap]# more ../saslauthd.conf
ldap_servers: ldap://localhost
ldap_search_base: dc=cisco,dc=com
ldap_timeout: 10
ldap_filter: uid=%u
ldap_bind_dn: cn=admin,dc=cisco,dc=com
ldap_password: Cisco,123
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
____________________________________________________________________
[root@openam-ldap openldap]# more slapd.conf # # See slapd.conf(5) for
details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema include
/etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema include
/etc/openldap/schema/openldap.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
sasl-host localhost
sasl-secprops none
database meta
suffix "dc=cisco,dc=com"
uri "ldap://localhost/ou=domain1,dc=cisco,dc=com"
suffixmassage "ou=domain1,dc=cisco,dc=com" "ou=domain1"
uri "ldap://localhost/ou=domain2,dc=cisco,dc=com"
suffixmassage "ou=domain2,dc=cisco,dc=com" "ou=domain2"
database hdb
suffix "ou=domain1"
directory "/var/lib/ldap/domain1"
rootdn "cn=admin,ou=domain1"
rootpw "Cisco,123"
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub
database hdb
suffix "ou=domain2"
directory "/var/lib/ldap/domain2"
rootdn "cn=admin,ou=domain2"
rootpw "Cisco,123"
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub
_______________________________________________________________
Thank you,
Paulo
-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Jonathan
Clarke
Sent: Monday, November 15, 2010 12:13 PM
To: openldap-technical@openldap.org
Subject: Re: Pass-Through authentication
On 14/11/10 18:29, Paulo Jorge N. Correia (paucorre) wrote:
> Hi all,
>
> I'm just starting with openLDAP and saslauth, and I'm trying to
> replicate what I can achieve with ADAM/AD LDS in Windows platform.
>
>
>
> I'm trying to use openldap to aggregate user information from several
> AD servers under different forests.
>
>
>
> So single point of contact from an LDAP perspective for an
> organization, and then openldap should pass-through the authentication
> request that receives to the AD DC of the respective user.
>
>
>
> This works well with /saslauthd /for a single domain/, but if I need
> to do this with multiple domains, I don't know how to configure
> saslauthd./
saslauthd can only launch one LDAP search to find a user and check his
password. So if you're using several AD domains, you need to be able to
perform a single search over all those domains : set up a back-meta with
all the AD forests under it, and point saslauthd at that.
Jonathan