On Friday 29 August 2008 14:07:11 Andrew Bartlett wrote:
On Fri, 2008-08-29 at 15:14 +1000, Nazeeruddin Mohammad wrote:
Sorry, I couldn't pass the message properly. We want to use openldap, as many services depend on it. However, we want to synchronize LDAP user accounts with that of on AD. This means users need remember only one password
I heard that there is possibility of doing this through openldap's proxy feature.
Could any enlighten me how to accomplish this? Or, is there any other way of doing this?
Here is my sladp.conf snippet
Perhaps put set the userPassword attribute to {SASL}user@AD.DOMAIN and have SASL handle the forwarding of the simple binds into kerberos kinit requests?
(I did this, to a bundled Heimdal many years ago, I don't know if it works how you want however).
Otherwise, perhaps look for a redirection via PAM to winbindd or pam_krb5?
There is a feature hidden in ITS that would provide a better solution, allowing for authentication to still work if/when AD is unavailable (due to network issue, firewall issue etc.).
http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042
However, there has been no discussion on it in the past year.
I have tested it (against a Heimdal kdc), but it kind of defeats the point if you can't use hdb_ldap at the same time :-P (and there are issues to be resolved to make it work with ppolicy). However, it does work ...
Regards, Buchan