Bruce,

My SASL authentication is working...

I am still confused on how to setup OpenLDAP to pass ALL attempts through to SASL.  The only method I've found is to create users in a local OpenLDAP database and set the userPassword attribute to {SASL}username@REALM.

What am I missing here?

> Date: Tue, 14 Oct 2014 16:23:26 -0700
> Subject: Re: OpenLDAP as proxy to Active Directory backend
> From: bruce.carleton@dena.com
> To: jeflebo@outlook.com
> CC: openldap-technical@openldap.org
>
> Jeff,
>
> The basic functionality is there. You can tell OpenLDAP to use SASL
> for authentication, against any available SASL mechanism that's
> supported on your platform. Part of the story is here:
>
> http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication
>
> Pay very close attention to paragraph 14.5.1. That little SASL config
> file (not part of OpenLDAP) will stop the show if it's not right.
>
> I almost had it working, but I couldn't do it, because I still needed
> local LDAP password hashes in my use case. I couldn't get the "{SASL}"
> password value to work for some reason. Turning on SASL pass-through
> seemed to be an all or nothing choice in my case. You will probably
> have to do some work to get it up and running.
>
> Best,
>
> --Bruce
>
> On Tue, Oct 14, 2014 at 1:46 PM, Jeff Lebo <jeflebo@outlook.com> wrote:
> > Goal: LDAP server in Internet facing DMZ to provide authentication for
> > externally hosted applications using internal AD credentials.
> >
> > I've done a LOT of reading and testing, and there is one thing I am still
> > not 100% clear on:
> >
> > Is it possible to do this WITHOUT having a local user database on the
> > OpenLDAP proxy? We will have thousands of users that will need to
> > authenticate, and I can't maintain another user database (adds, removes,
> > etc..). Is there a way to make OpenLDAP just act more like a reverse proxy
> > and forward anything that matches a specific domain on to the internal
> > LDAP/AD server for password verification?
>