[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as proxy to Active Directory backend



That's right, you have to create LDAP entries for the passthrough
authentication. I guess  you could create some kind of sync service
between AD and the LDAP proxy, but it might be kind of hairy to get it
working properly. Others might have better suggestions.

On Tue, Oct 14, 2014 at 5:11 PM, Jeff Lebo <jeflebo@outlook.com> wrote:
> Bruce,
>
> My SASL authentication is working...
>
> I am still confused on how to setup OpenLDAP to pass ALL attempts through to
> SASL.  The only method I've found is to create users in a local OpenLDAP
> database and set the userPassword attribute to {SASL}username@REALM.
>
> What am I missing here?
>
>> Date: Tue, 14 Oct 2014 16:23:26 -0700
>> Subject: Re: OpenLDAP as proxy to Active Directory backend
>> From: bruce.carleton@dena.com
>> To: jeflebo@outlook.com
>> CC: openldap-technical@openldap.org
>
>>
>> Jeff,
>>
>> The basic functionality is there. You can tell OpenLDAP to use SASL
>> for authentication, against any available SASL mechanism that's
>> supported on your platform. Part of the story is here:
>>
>> http://www.openldap.org/doc/admin24/security.html#Pass-Through
>> authentication
>>
>> Pay very close attention to paragraph 14.5.1. That little SASL config
>> file (not part of OpenLDAP) will stop the show if it's not right.
>>
>> I almost had it working, but I couldn't do it, because I still needed
>> local LDAP password hashes in my use case. I couldn't get the "{SASL}"
>> password value to work for some reason. Turning on SASL pass-through
>> seemed to be an all or nothing choice in my case. You will probably
>> have to do some work to get it up and running.
>>
>> Best,
>>
>> --Bruce
>>
>> On Tue, Oct 14, 2014 at 1:46 PM, Jeff Lebo <jeflebo@outlook.com> wrote:
>> > Goal: LDAP server in Internet facing DMZ to provide authentication for
>> > externally hosted applications using internal AD credentials.
>> >
>> > I've done a LOT of reading and testing, and there is one thing I am
>> > still
>> > not 100% clear on:
>> >
>> > Is it possible to do this WITHOUT having a local user database on the
>> > OpenLDAP proxy? We will have thousands of users that will need to
>> > authenticate, and I can't maintain another user database (adds, removes,
>> > etc..). Is there a way to make OpenLDAP just act more like a reverse
>> > proxy
>> > and forward anything that matches a specific domain on to the internal
>> > LDAP/AD server for password verification?
>>