Excellent... I am now able to simulate the process that the external application will use:

- Bind to OpenLDAP server using AD service account.
- Search for DN of user account using sAMAccountName filter.
- Bind to OpenLDAP server using DN and password of user account to provide auth for application.

How can I limit what data is accessible via search?  Since all I am trying to do is check user/pass, the only thing I'd like to allow returned to the client is the DN.

I've tried with 'rwm-map attribute *' per a few documents I found, but I don't get anything returned via my LDAP search with that in the config (I've tried lots of different combos above that to allow data, then block all other data).

Now that I think I've got this working for the most part... what are some best security practices for this setup?

> Date: Wed, 15 Oct 2014 01:50:02 +0100
> From: hyc@symas.com
> To: jeflebo@outlook.com; openldap-technical@openldap.org
> Subject: Re: OpenLDAP as proxy to Active Directory backend
>
> Jeff Lebo wrote:
> > Goal: LDAP server in Internet facing DMZ to provide authentication for
> > externally hosted applications using internal AD credentials.
> >
> > I've done a LOT of reading and testing, and there is one thing I am still not
> > 100% clear on:
> >
> > Is it possible to do this WITHOUT having a local user database on the OpenLDAP
> > proxy? We will have thousands of users that will need to authenticate, and I
> > can't maintain another user database (adds, removes, etc..). Is there a way
> > to make OpenLDAP just act more like a reverse proxy and forward anything that
> > matches a specific domain on to the internal LDAP/AD server for password
> > verification?
>
> That's exactly what back-ldap does. A couple other posts have already pointed
> you to its manpage/documentation. Everything else mentioned so far (SASL
> passthrough) is misdirection.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>