Re: Use active directory to check password but keep all user data in LDAP

[Peter Gietz <peter.gietz@daasi.de>]

Am 28.05.2014 13:00, schrieb Howard Chu:
> Mattias Segerdahl wrote:
>> Hello,
>>
>> I was wondering if it is possible to configure OpenLDAP 2.4 to only
>> check the
>> password validation with Active Directory and have the rest of the user
>> attributes, such as mail, loginShell, homeDirectory, etc. come from
>> OpenLDAP?
>> Any pointers, guides, howtoâs or even âlet me google that for youâ
>> are highly
>> appreciated.
>
> Several ways to do that. Use the adauth overlay, or the remoteauth
> overlay, or the pbind overlay, for example.
Another possibility is to do it with SASL Pass-Through (see 14.5. of
http://www.openldap.org/doc/admin24/security.html).

Quite simple, but beware: make sure that the sasl deamon is configured
to use ldaps when connecting to AD since the clear text password is
transmitted.

>
> Overall it's a bad idea, Active Directory authentication is thousands
> of times slower than OpenLDAP authentication. You can very easily
> overload the AD server on an active network.

This of course is correct. Only do it, if you don't expect heavy load!


Cheers,

Peter

-- 

Peter Gietz, CEO

DAASI International GmbH        
Europaplatz 3                   
D-72072 TÃbingen                
Germany                    

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: peter.gietz@daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: TÃbingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
GeschÃftsleitung: Peter Gietz