3:23 a.m.
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password
validation with Active Directory and have the rest of the user attributes, such as mail,
loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even
“let me google that for you” are highly appreciated.
Cheers
Mattias
4 a.m.
Mattias Segerdahl wrote:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the
password validation with Active Directory and have the rest of the user
attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP?
Any pointers, guides, howto’s or even “let me google that for you” are highly
appreciated.
Several ways to do that. Use the adauth overlay, or the remoteauth overlay, or
the pbind overlay, for example.
Overall it's a bad idea, Active Directory authentication is thousands of times
slower than OpenLDAP authentication. You can very easily overload the AD
server on an active network.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5:42 a.m.
Am 28.05.2014 13:00, schrieb Howard Chu:
Mattias Segerdahl wrote:
> Hello,
>
> I was wondering if it is possible to configure OpenLDAP 2.4 to only
> check the
> password validation with Active Directory and have the rest of the user
> attributes, such as mail, loginShell, homeDirectory, etc. come from
> OpenLDAP?
> Any pointers, guides, howto’s or even “let me google that for you”
> are highly
> appreciated.
Several ways to do that. Use the adauth overlay, or the remoteauth
overlay, or the pbind overlay, for example.
Another possibility is to do it with
SASL Pass-Through (see 14.5. of
http://www.openldap.org/doc/admin24/security.html).
Quite simple, but beware: make sure that the sasl deamon is configured
to use ldaps when connecting to AD since the clear text password is
transmitted.
Overall it's a bad idea, Active Directory authentication is thousands
of times slower than OpenLDAP authentication. You can very easily
overload the AD server on an active network.
This of course is correct. Only do it, if you don't expect heavy load!
Cheers,
Peter
--
Peter Gietz, CEO
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: peter.gietz(a)daasi.de
web: www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
4:34 a.m.
On May 28, 2014 5:40 AM, "Mattias Segerdahl"
<mattias.segerdahl(a)jeppesen.com>
wrote:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check
the
password validation with Active Directory and have the rest of the user
attributes, such as mail, loginShell, homeDirectory, etc. come from
OpenLDAP? Any pointers, guides, howto’s or even “let me google that for
you” are highly appreciated.
Cheers
Mattias
Hmm, i've never done that, but if you do it i'd recommend using AD with
Kerberos. But if you're using AD already, why have a separate LDAP server
for your nsswitch data when AD also supports the rfc2307 schema? Maybe
better to use OpenLDAP plus MIT or heimdal. If you need a Windows domain
controller, maybe take a look at samba 4:
https://lists.samba.org/archive/samba-technical/2014-May/100016.html
4:49 a.m.
2014-05-28 12:23 GMT+02:00 Mattias Segerdahl <mattias.segerdahl(a)jeppesen.com
:
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check
the password validation with Active Directory and have the rest of the user
attributes, such as mail, loginShell, homeDirectory, etc. come from
OpenLDAP? Any pointers, guides, howto’s or even “let me google that for
you” are highly appreciated.
Hi,
one solution is to use SASL passtrough authentication:
http://ltb-project.org/wiki/documentation/general/sasl_delegation
Of course, others solutions are fine too.
Clément.
3479
days inactive
3479
days old
openldap-technical@openldap.org
4 comments
5 participants
participants (5)
-
A. P. Garcia -
Clément OUDOT -
Howard Chu -
Mattias Segerdahl -
Peter Gietz