Re: "Dynamic" authentication passthrough?

[Curtiss Howard <curtiss.howard@gmail.com>]

On Fri, Mar 31, 2017 at 12:47 PM, Howard Chu <hyc@symas.com> wrote:

Curtiss Howard wrote:

Hi,

I've got two Active Directory servers that are being proxied through OpenLDAP
and their respective trees are being merged into one.  So far, so good.

Now I want to allow users to bind to the OpenLDAP server and pass the
authentication through to the appropriate AD and let it do the password checking.

I see a lot of documentation on using SASL for passthrough, but where I'm
stuck is that this requires every user to have an account in the OpenLDAP
server in order to see if the userPassword attribute is specially formatted.
In my case, this isn't really a palatable solution because I'm using the
OpenLDAP server with the meta backend and using it as a "live view" into the
data contained in the ADs.  Other applications can talk directly to the ADs
and in order to do the SASL approach there'd have to be some syncing from the
ADs to the OpenLDAP server every time a user is created/deleted.

I would think that surely there must be some way to pass through the
authentication in a more obvious manner -- i.e., if the user doesn't exist
locally, try to bind against each proxied server in succession.  But I can't
seem to find a way to do this, all references point to the SASL approach.

Is there a way to do this?

Just use slapo-pbind.

Ah nice, this sounds more like it.  However, I have two AD servers that I'm proxying -- is there a concept of using this overlay multiple times?