On Fri, Feb 13, 2009 at 04:54:36PM +0700, Duong Pham Tung wrote:
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
This requirement comes up on the mailing lists quite often, so you would do well to search the archives.
The first thing to understand is that you *cannot* extract password data from AD because it is not there. AD defers authentication to Kerberos, which does not store a usable password either.
There are several ways around the problem. One is to use pass-through authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
Other possibilities are:
Use back-meta and slapo-rwm to make your AD namespace look like the one you want for LDAP.
Use one of the contributed overlays that do password callouts (either to LDAP or directly to Kerberos) and store the password in OpenLDAP if it is correct. There are at least two choices here, but I don't think either has been rolled into the OpenLDAP distribution yet so you would have to build them yourself.
You may also want to look at systems to capture passwords on AD when they are changed. There are several packages that do that by pretending to be password quality checkers. Microsoft ship one as part of SFU, there is a free one on Sourceforge, and most commercial directory synchronisation products have them.
Andrew