On 18/07/10 23:52 +0600, OSHIM wrote:
What we want to achieve is user using services like OpenVPN, webproxy, emails, file sharing, etc will only need to remember their MS AD password and they will be able to login to the corresponding services they are entitle to used. In order to do so, we will need to configure OpenLDAP on Linux to authenticate with MS AD server. OpenLDAP will contain the user information but authentication will come from MS AD.
You've presented a list of software that just aren't going to work the same way. There's no consistent approach to how software uses LDAP to authenticate users.
You're going to need to do some research and find out how each package performs authentication:
1. Does the software directly bind to the LDAP server using the provided user credentials, and use the result as a yes/no determination of whether the user is authenticated.
2. If so, does it bind using SASL?
3. If not, does it bind to the server using a privileged account to retrieve the user's DN. Does it then perform a second bind to the LDAP server?
4. If not, does it simply use LDAP as a password database, retrieving the user's credentials via a privileged account and then acting on the retrieved password?
5. Something else? If it can't use LDAP, can it use PAM?