On Mon, May 29, 2017 at 11:36 AM, Alexandre Rosenberg <arekkusu@r42.ch> wrote:
Hello,

I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)

I would like to keep everything the same except that when the user bind to OpenLDAP the credential should be checked against Active Directory.
There is no need to retrieve/return any information from Active Directory except for the authentication.

This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)

One complication is that we have 2 times of usernames:

        short username: john01
        long username:  john.smith@example.com

The short username are used in in OpenLDAP like this:

        uid=john01,ou=People,dc=example,dc=com

While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.

        john.smith@example.com

I am starting to seriously look at the various OpenLDAP overlay and proxy functionality but I am a bit confused on how to archive this.


Have you looked into authenticating using GSSAPI (kerberos)? Your AD is your kerberos server. Then all you need is an openldap service user in AD and you are done.

If you have ACLs in openldap that rely on the openldap-stored user DN (uid=john01, ...), you can use authz-regexp to map the kerberos sasl entity to that probably.