Re: OpenLDAP as proxy to Active Directory backend
Jeff,
The basic functionality is there. You can tell OpenLDAP to use SASL
for authentication, against any available SASL mechanism that's
supported on your platform. Part of the story is here:
http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication
Pay very close attention to paragraph 14.5.1. That little SASL config
file (not part of OpenLDAP) will stop the show if it's not right.
I almost had it working, but I couldn't do it, because I still needed
local LDAP password hashes in my use case. I couldn't get the "{SASL}"
password value to work for some reason. Turning on SASL pass-through
seemed to be an all or nothing choice in my case. You will probably
have to do some work to get it up and running.
Best,
--Bruce
On Tue, Oct 14, 2014 at 1:46 PM, Jeff Lebo <jeflebo(a)outlook.com> wrote:
Goal: LDAP server in Internet facing DMZ to provide authentication
for
externally hosted applications using internal AD credentials.
I've done a LOT of reading and testing, and there is one thing I am still
not 100% clear on:
Is it possible to do this WITHOUT having a local user database on the
OpenLDAP proxy? We will have thousands of users that will need to
authenticate, and I can't maintain another user database (adds, removes,
etc..). Is there a way to make OpenLDAP just act more like a reverse proxy
and forward anything that matches a specific domain on to the internal
LDAP/AD server for password verification?