|
Yea, the logic I am looking for is:
If user authenticates with @domain.com, passthrough/redirect authentication on to LDAP backend, WITHOUT looking for a local entry in the OpenLDAP database. This network doesn't have the resources to maintain another user database, even if it via some automated sync process... was just hoping to implement a "dumb" reverse proxy for LDAP in order to prevent storing usernames/passwords in an Internet facing DMZ (or in the case of using a Windows LDAP server, putting a DC member in the DMZ). > Date: Tue, 14 Oct 2014 17:18:01 -0700 > Subject: Re: OpenLDAP as proxy to Active Directory backend > From: bruce.carleton@dena.com > To: jeflebo@outlook.com > CC: openldap-technical@openldap.org > > That's right, you have to create LDAP entries for the passthrough > authentication. I guess you could create some kind of sync service > between AD and the LDAP proxy, but it might be kind of hairy to get it > working properly. Others might have better suggestions. > > On Tue, Oct 14, 2014 at 5:11 PM, Jeff Lebo <jeflebo@outlook.com> wrote: > > Bruce, > > > > My SASL authentication is working... > > > > I am still confused on how to setup OpenLDAP to pass ALL attempts through to > > SASL. The only method I've found is to create users in a local OpenLDAP > > database and set the userPassword attribute to {SASL}username@REALM. > > > > What am I missing here? > > > >> Date: Tue, 14 Oct 2014 16:23:26 -0700 > >> Subject: Re: OpenLDAP as proxy to Active Directory backend > >> From: bruce.carleton@dena.com > >> To: jeflebo@outlook.com > >> CC: openldap-technical@openldap.org > > > >> > >> Jeff, > >> > >> The basic functionality is there. You can tell OpenLDAP to use SASL > >> for authentication, against any available SASL mechanism that's > >> supported on your platform. Part of the story is here: > >> > >> http://www.openldap.org/doc/admin24/security.html#Pass-Through > >> authentication > >> > >> Pay very close attention to paragraph 14.5.1. That little SASL config > >> file (not part of OpenLDAP) will stop the show if it's not right. > >> > >> I almost had it working, but I couldn't do it, because I still needed > >> local LDAP password hashes in my use case. I couldn't get the "{SASL}" > >> password value to work for some reason. Turning on SASL pass-through > >> seemed to be an all or nothing choice in my case. You will probably > >> have to do some work to get it up and running. > >> > >> Best, > >> > >> --Bruce > >> > >> On Tue, Oct 14, 2014 at 1:46 PM, Jeff Lebo <jeflebo@outlook.com> wrote: > >> > Goal: LDAP server in Internet facing DMZ to provide authentication for > >> > externally hosted applications using internal AD credentials. > >> > > >> > I've done a LOT of reading and testing, and there is one thing I am > >> > still > >> > not 100% clear on: > >> > > >> > Is it possible to do this WITHOUT having a local user database on the > >> > OpenLDAP proxy? We will have thousands of users that will need to > >> > authenticate, and I can't maintain another user database (adds, removes, > >> > etc..). Is there a way to make OpenLDAP just act more like a reverse > >> > proxy > >> > and forward anything that matches a specific domain on to the internal > >> > LDAP/AD server for password verification? > >> > |