Am 28.05.2014 13:00, schrieb Howard Chu:
Mattias Segerdahl wrote:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated.
Several ways to do that. Use the adauth overlay, or the remoteauth overlay, or the pbind overlay, for example.
Another possibility is to do it with SASL Pass-Through (see 14.5. of http://www.openldap.org/doc/admin24/security.html).
Quite simple, but beware: make sure that the sasl deamon is configured to use ldaps when connecting to AD since the clear text password is transmitted.
Overall it's a bad idea, Active Directory authentication is thousands of times slower than OpenLDAP authentication. You can very easily overload the AD server on an active network.
This of course is correct. Only do it, if you don't expect heavy load!
Cheers,
Peter