On Friday 29 August 2008 17:05:52 Michael Ströder wrote:
Buchan Milne wrote:
There is a feature hidden in ITS that would provide a better solution,
(depending on your requirements)
allowing for authentication to still work if/when AD is unavailable (due to network issue, firewall issue etc.).
http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042
The problem with this approach is that it stores a copy of the password within OpenLDAP. Depending on the security policy that's maybe not what one wants.
But, the operational policy may require it .... the OpenLDAP administrator is the only person who can make/implement that decision, I don't see a reason to prevent the administrator from doing this. It is better than a clear-text simple bind using the {SASL} feature (which would expose the cleartext password that you are trying to protect).
Regards, Buchan