Jeff Lebo wrote:
Goal: LDAP server in Internet facing DMZ to provide authentication
for
externally hosted applications using internal AD credentials.
I've done a LOT of reading and testing, and there is one thing I am still not
100% clear on:
Is it possible to do this WITHOUT having a local user database on the OpenLDAP
proxy? We will have thousands of users that will need to authenticate, and I
can't maintain another user database (adds, removes, etc..). Is there a way
to make OpenLDAP just act more like a reverse proxy and forward anything that
matches a specific domain on to the internal LDAP/AD server for password
verification?
That's exactly what back-ldap does. A couple other posts have already pointed
you to its manpage/documentation. Everything else mentioned so far (SASL
passthrough) is misdirection.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/