|
Excellent... I am now able to simulate the process that the external application will use:
- Bind to OpenLDAP server using AD service account. - Search for DN of user account using sAMAccountName filter. - Bind to OpenLDAP server using DN and password of user account to provide auth for application. How can I limit what data is accessible via search? Since all I am trying to do is check user/pass, the only thing I'd like to allow returned to the client is the DN. I've tried with 'rwm-map attribute *' per a few documents I found, but I don't get anything returned via my LDAP search with that in the config (I've tried lots of different combos above that to allow data, then block all other data). Now that I think I've got this working for the most part... what are some best security practices for this setup? > Date: Wed, 15 Oct 2014 01:50:02 +0100 > From: hyc@symas.com > To: jeflebo@outlook.com; openldap-technical@openldap.org > Subject: Re: OpenLDAP as proxy to Active Directory backend > > Jeff Lebo wrote: > > Goal: LDAP server in Internet facing DMZ to provide authentication for > > externally hosted applications using internal AD credentials. > > > > I've done a LOT of reading and testing, and there is one thing I am still not > > 100% clear on: > > > > Is it possible to do this WITHOUT having a local user database on the OpenLDAP > > proxy? We will have thousands of users that will need to authenticate, and I > > can't maintain another user database (adds, removes, etc..). Is there a way > > to make OpenLDAP just act more like a reverse proxy and forward anything that > > matches a specific domain on to the internal LDAP/AD server for password > > verification? > > That's exactly what back-ldap does. A couple other posts have already pointed > you to its manpage/documentation. Everything else mentioned so far (SASL > passthrough) is misdirection. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > |