Hi William, Maybe I didn't explain myself correctly...... I have no problem in make OpenLDAP work as a consolidation directory for a single Active Directory Forest, and having SASL doing the Passthrough authentication from OpenLdap to the AD Global catalogue......... What I don't know is how can I do it with multiple AD domain Controllers.
Let me give an example :
User: Paulo.Correia Domain Controller : AD.cisco.com UPN : Paulo.Correia@cisco.com
User: William.Brown Domain Controller: AD. mit.edu UPN: William.Brown@mit.edu
Now I want to have a single directory in Open LDAP that will have both of the user and will passthrought the authentication to the original AD's
# Hernani Correia, Users, cisco.com dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Hernani Correia sn: Correia givenName: Hernani userPassword: {SASL}Paulo.Correia@cisco.com userPrincipalName: Paulo.Correia@cisco.com mail: Paulo.Correia@cisco.com
# Hernani Correia, Users, cisco.com dn: CN= William Brown,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: William Brown sn: Brown givenName: William userPassword: {SASL}William.Brown@mit.edu userPrincipalName: William.Brown@mit.edu mail: William.Brown@mit.edu
My problem is that in the /etc/saslauthd.conf I need to static define a single or multiple LDAP for the queries : ldap_servers: ldap://ad-cisco-1.cisco.com ldap_search_base: dc=cisco,dc=com ldap_timeout: 10 ldap_filter: sAMAccountName=%u ldap_bind_dn: cn=Administrator,cn=users,dc=cisco,dc=com ldap_password: Cisco,123 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind
I need to bind based on the domain not a single bind in SASL.
Can you help ?
Paulo
-----Original Message----- From: Indexer [mailto:indexer@internode.on.net] Sent: Monday, November 15, 2010 11:44 AM To: Paulo Jorge N. Correia (paucorre) Cc: openldap-technical@openldap.org Subject: Re: Pass-Through authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:
Hi all,
I'm just starting with openLDAP and saslauth, and I'm trying to replicate what I can achieve with ADAM/AD LDS in Windows platform.
I'm trying to use openldap to aggregate user information from several AD servers under different forests.
So single point of contact from an LDAP perspective for an organization, and then openldap should pass-through the authentication
request that receives to the AD DC of the respective user.
This works well with saslauthd for a single domain, but if I need to do this with multiple domains, I don't know how to configure
saslauthd.
Windows, and AD utilise kerberos. Just treat your AD servers as KRB5 realms, and it works. both MIT and Hemidal can work with this, so following the passthrough instructions for these will work
Alternatively, you can use AD as an ldap server, but it follows much the same principals.
http://www.openldap.org/doc/admin24/security.html
Can someone help ?
Thank you,
Paulo
William Brown
pgp.mit.edu