On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
I am in a environment where we use both OpenLDAP and Active Directory. All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)
This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.
john.smith@example.com
Pass-through authentication should work if you're performing simple binds. Chapter 14 of the admin guide has a good example.
If you're doing sasl binds, use gssapi to authenticate against the AD server directly.