On 05/29/2017 10:48 AM, Andreas Hasenack wrote:

On Mon, May 29, 2017 at 11:36 AM, Alexandre Rosenberg <arekkusu@r42.ch> wrote:

I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)

I would like to keep everything the same except that when the user bind to OpenLDAP the credential should be checked against Active Directory.
There is no need to retrieve/return any information from Active Directory except for the authentication.

This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)

One complication is that we have 2 times of usernames:

        short username: john01
        long username:  john.smith@example.com

The short username are used in in OpenLDAP like this:


While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.


I am starting to seriously look at the various OpenLDAP overlay and proxy functionality but I am a bit confused on how to archive this.

Have you looked into authenticating using GSSAPI (kerberos)? Your AD is your kerberos server. Then all you need is an openldap service user in AD and you are done.

If you have ACLs in openldap that rely on the openldap-stored user DN (uid=john01, ...), you can use authz-regexp to map the kerberos sasl entity to that probably.

+1 That's exactly how we do it here, and it works great.  If you're not familiar with Kerberos yet, take the time to learn it - it's not that hard to learn, and it's time well spent.

Also, if you're going to be using AD for Kerberos in a Linux environment, you might want to know about the msktutil, which is a like ktutil, but works with AD Kerberos servers: