Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated.
Cheers
Mattias
Mattias Segerdahl wrote:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated.
Several ways to do that. Use the adauth overlay, or the remoteauth overlay, or the pbind overlay, for example.
Overall it's a bad idea, Active Directory authentication is thousands of times slower than OpenLDAP authentication. You can very easily overload the AD server on an active network.
Am 28.05.2014 13:00, schrieb Howard Chu:
Mattias Segerdahl wrote:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated.
Several ways to do that. Use the adauth overlay, or the remoteauth overlay, or the pbind overlay, for example.
Another possibility is to do it with SASL Pass-Through (see 14.5. of http://www.openldap.org/doc/admin24/security.html).
Quite simple, but beware: make sure that the sasl deamon is configured to use ldaps when connecting to AD since the clear text password is transmitted.
Overall it's a bad idea, Active Directory authentication is thousands of times slower than OpenLDAP authentication. You can very easily overload the AD server on an active network.
This of course is correct. Only do it, if you don't expect heavy load!
Cheers,
Peter
On May 28, 2014 5:40 AM, "Mattias Segerdahl" mattias.segerdahl@jeppesen.com wrote:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check
the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated.
Cheers
Mattias
Hmm, i've never done that, but if you do it i'd recommend using AD with Kerberos. But if you're using AD already, why have a separate LDAP server for your nsswitch data when AD also supports the rfc2307 schema? Maybe better to use OpenLDAP plus MIT or heimdal. If you need a Windows domain controller, maybe take a look at samba 4: https://lists.samba.org/archive/samba-technical/2014-May/100016.html
2014-05-28 12:23 GMT+02:00 Mattias Segerdahl <mattias.segerdahl@jeppesen.com
:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated.
Hi,
one solution is to use SASL passtrough authentication: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Of course, others solutions are fine too.
Clément.
openldap-technical@openldap.org
-
A. P. Garcia -
Clément OUDOT -
Howard Chu -
Mattias Segerdahl -
Peter Gietz