I have OpenLDAP version 2.4 installed on an OpenSUSE box. I am using it as an LDAP Proxy to Windows AD domain. It works perfectly using standard LDAP logon credentials (cn=user,DC=domain,DC=com). But I have some applications that use user@domain.commailto:user@domain.com logon credentials. Is there a way to configure OpenLDAP to authenticate in this way? Slapd config file available on request.
Thanks!
Josh Spranger Sr. Network Engineer
Josh Spranger wrote:
I have OpenLDAP version 2.4 installed on an OpenSUSE box. I am using it as an LDAP Proxy to Windows AD domain. It works perfectly using standard LDAP logon credentials (cn=user,DC=domain,DC=com). But I have some applications that use user@domain.com mailto:user@domain.com logon credentials. Is there a way to configure OpenLDAP to authenticate in this way? Slapd config file available on request.
Simple LDAP Bind with userPrincipalName instead of a Bind-DN is a AD-specific thing. You have to fix your client apps.
Ciao, Michael.
But if I go direct to AD LDAP with UPN it works fine, and I am not sure where the authentication is actually performed in Proxy mode, weather it is authenticated on the openldap side or if the credentials are passed straight through without any processing in openldap.
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Friday, December 03, 2010 12:14 PM To: Josh Spranger Cc: 'openldap-technical@openldap.org' Subject: Re: OpenLDAP 2.4 authentication methods
Josh Spranger wrote:
I have OpenLDAP version 2.4 installed on an OpenSUSE box. I am using it as an LDAP Proxy to Windows AD domain. It works perfectly using standard LDAP logon credentials (cn=user,DC=domain,DC=com). But I have some applications that use user@domain.com mailto:user@domain.com logon credentials. Is there a way to configure OpenLDAP to authenticate in this way? Slapd config file available on request.
Simple LDAP Bind with userPrincipalName instead of a Bind-DN is a AD-specific thing. You have to fix your client apps.
Ciao, Michael.
Josh Spranger wrote:
But if I go direct to AD LDAP with UPN it works fine,
As said. It's a AD-specific handling of a simple bind request. RFC 4511 requires BindRequest::name to be an LDAPDN.
See section 4.2 in http://www.ietf.org/rfc/rfc4511.txt
and I am not sure where the authentication is actually performed in Proxy mode, weather it is authenticated on the openldap side or if the credentials are passed straight through without any processing in openldap.
Normally when using back-ldap password checking is performed on the target server (here MS AD). But OpenLDAP does not accept this form of simple bind request since the request is malformed per LDAPv3 standard. And therefore this malformed request is not passed to MS AD.
=> fix your LDAP clients
Ciao, Michael.
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Friday, December 03, 2010 12:14 PM To: Josh Spranger Cc: 'openldap-technical@openldap.org' Subject: Re: OpenLDAP 2.4 authentication methods
Josh Spranger wrote:
I have OpenLDAP version 2.4 installed on an OpenSUSE box. I am using it as an LDAP Proxy to Windows AD domain. It works perfectly using standard LDAP logon credentials (cn=user,DC=domain,DC=com). But I have some applications that use user@domain.com mailto:user@domain.com logon credentials. Is there a way to configure OpenLDAP to authenticate in this way? Slapd config file available on request.
Simple LDAP Bind with userPrincipalName instead of a Bind-DN is a AD-specific thing. You have to fix your client apps.
Ciao, Michael.
openldap-technical@openldap.org
-
Josh Spranger -
Michael Ströder