Sent: Wed May 04 2011 13:58:44 GMT-0600 (MST)
From: Dan White <dwhite@olp.net>
To: Patrick H. <openldap-technical@stormcloud9.net>
openldap-technical@openldap.org
Subject: Re: conditional bind authentication against external ldap
server
On
02/05/11 16:48 -0600, Patrick H. wrote:
I'm trying to setup a way to have bind
requests authenticated by logging into an external ldap server.
But to make things more complicated, I only want to do it if a
certain attribute is defined on the user's entry.
The details:
When a user binds, check to see if the 'seeAlso' attribute is
defined for the user.
If 'seeAlso' is not defined, try to authenticate as normal using
the 'userPassword' stored in the local database.
If it is defined, 'seeAlso' will contain the DN of the user in
another ldap database (Active Directory in this case).
Use the seeAlso DN to determine the URI of the ldap db to
connect to (right now there is only one Active Directory server,
but it would be nice to be able to use different URIs for
different suffixes down the road).
Attempt to bind to the remote database using the seeAlso DN. If
the remote bind succeeds, the local bind also succeeds.
The goal here is to allow users to opt into using their Active
Directory password for authentication. No data will be pulled
from the remote ldap and overlayed on the local account, it is
strictly bind authentication only.
From searching around, I'm not sure what to use to do this. It
seems like slapd-ldap and slapo-chain might both do the remote
ldap thing, and then I might use slapo-rwn to somehow do a
conditional test for the seeAlso attribute and rewrite the bind
DN, but I'm not sure.
If anyone could tell me if my idea is even possible, and some
starting points if so, it would be much appreciated.
What software will be performing the authentication? Is the LDAP
protocol
exposed to the end user, or are they authenticating to a web
server or some
such?
Can you accomplish this programatically or via a script? Or is
this
functionality that has to logically be accomplished within slapd?
Attempting to authenticate via LDAP bind. Has to be via ldap bind.
|