[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy for Active Directory Authentication (slapd.d)



On 11/11/14 09:50 +0000, Šmucr Jan wrote:
User wants to authenticate --> Client (Gerrit 2.9.1) connects to the local
OpenLDAP server --> The OpenLDAP server searches its local database for a
relevant entry

*         Entry found --> Inform the client

*         Entry not found --> Delegate the request to the remote Active directory server

o   Entry found --> Inform the OpenLDAP server --> Inform the client

o   Entry not found --> Inform the OpenLDAP server --> Inform the client

[1] http://ltb-project.org/wiki/documentation/general/sasl_delegation

To work with pass-through authentication, all users will need a valid entry
within your OpenLDAP tree. Those you wish to authenticate against active
directory will need a userPassword attribute of:

userPassword: {SASL}user@domain

And those you wish to authenticate locally should have a standard hashed
password string. All authentication (or at least pass-through
authentication) will need to use simple binds (-x command line option).

If that requirement does not meet your needs, use ldap SASL binds instead
of pass-through authentication, which do not require your authenticated
users to exist within the local tree.

To trouble shoot pass-through authentication, run saslauthd in debug mode
(-d), and use testsaslauthd to validate your saslauthd.conf configuration
prior to troubleshooting your slapd config. Verify your slapd process has
permissions to communicate with the saslauthd mux, which is a common
mistake.

For project documentation, see:

http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication
http://www.openldap.org/doc/admin24/sasl.html
saslauthd(8)
testsaslauthd(8)
'saslauthd/LDAP_SASLAUTHD' in the cyrus sasl source code

--
Dan White