[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Complex setup to do back-ldap AND SASL auth in one go



On 8/19/19 10:39 AM, Markus.Storm@t-systems.com wrote:
> Ultimately I want some UNIX machines using pam-ldap to authenticate against an Active Directory ("AD").

Hint: Don't use the ancient pam_ldap.

> Logins to those machines require a number of attributes but I don't
> have authority/ability to store them in the AD.  They are stored in
> an external (non-OpenLDAP !) server "S" instead. As the AD passwords
> cannot be read/replicated, I also cannot simply direct clients to S,
That's exactly the use-case for overlay slapo-translucent used in a
proxy backend along with back-mdb for storing local data:

https://www.openldap.org/software/man.cgi?query=slapo-translucent

With this you can point your clients to S.

There are other variants to this use-case, e.g. proxying only the bind
requests sent to S to AD (pass-through authc) and retrieving all data
from S.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature