[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy for Active Directory Authentication (slapd.d)



Dan White wrote:
On 11/11/14 09:50 +0000, Šmucr Jan wrote:
User wants to authenticate --> Client (Gerrit 2.9.1) connects to the
local
OpenLDAP server --> The OpenLDAP server searches its local database for a
relevant entry

*         Entry found --> Inform the client

*         Entry not found --> Delegate the request to the remote
Active directory server

o   Entry found --> Inform the OpenLDAP server --> Inform the client

o   Entry not found --> Inform the OpenLDAP server --> Inform the client

[1] http://ltb-project.org/wiki/documentation/general/sasl_delegation

To work with pass-through authentication, all users will need a valid entry
within your OpenLDAP tree. Those you wish to authenticate against active
directory will need a userPassword attribute of:

userPassword: {SASL}user@domain

Why do people keep trying to use "pass-through authentication" when the question clearly is about *proxying*. back-ldap and back-meta exist for proxying. This was just answered a few weeks ago.

http://www.openldap.org/lists/openldap-technical/201410/msg00078.html

The obvious solution here is a local database with back-meta in front of it. The back-meta instance can be pointed at both the remote AD server and the local server and will automatically search both DBs to find a user's account (when performing a search request) and then the following Bind request will just do the right thing.

Use the right tool for the job. pass-through authentication is not the solution for a proxying task.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/