On Fri, Dec 12, 2008 at 07:31:47PM +0000, kartik_subbarao@hp.com wrote:

As discussed with Howard Chu, HP is contributing the code for an Active Directory Authentication overlay (written by Neil Dunbar) to OpenLDAP.

The adauth overlay provides passthrough authentication to Active Directory for LDAP simple bind operations. The local LDAP entry referenced in the bind operation is mapped to its counterpart in the Active Directory, an LDAP bind operation is performed against Active Directory, and results are returned based on the results of that remote operation. If a local userPassword attribute is populated for the entry, it is used instead of the AD authentication.

This is very good news, as it deals with a common requirement without having to configure saslauthd.

One suggestion following a very quick scan of the code: I think it would be worth bringing the warning about turning off TLS checks into the manual page.

It is worth noting that this overlay raises issues similar to those raised by the contributed adpwc/extpwc module - see ITS#5042. In this case the access to AD is via LDAP rather than Kerberos, but most of the arguments are similar. In particular, there is no reason for this to be AD-specific and it should be easy to adapt it to authenticate against any [collection of] remote LDAP servers.

Andrew