Am 28.05.2014 13:00, schrieb Howard Chu:
Mattias Segerdahl wrote:
> Hello,
>
> I was wondering if it is possible to configure OpenLDAP 2.4 to only
> check the
> password validation with Active Directory and have the rest of the user
> attributes, such as mail, loginShell, homeDirectory, etc. come from
> OpenLDAP?
> Any pointers, guides, howto’s or even “let me google that for you”
> are highly
> appreciated.
Several ways to do that. Use the adauth overlay, or the remoteauth
overlay, or the pbind overlay, for example.
Another possibility is to do it with
SASL Pass-Through (see 14.5. of
http://www.openldap.org/doc/admin24/security.html).
Quite simple, but beware: make sure that the sasl deamon is configured
to use ldaps when connecting to AD since the clear text password is
transmitted.
Overall it's a bad idea, Active Directory authentication is thousands
of times slower than OpenLDAP authentication. You can very easily
overload the AD server on an active network.
This of course is correct. Only do it, if you don't expect heavy load!
Cheers,
Peter
--
Peter Gietz, CEO
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: peter.gietz(a)daasi.de
web:
www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz