I have installed the LDAP Tool Box version of OpenLDAP on Centos8 for the purpose of a
proxy to AD. My proxy needs to "translate" from our old AD domain to our new
AD domain (I hate company name changes!).
We have some software that access our old domain with certain credentials, does searches
for groups and users then binds as the appropriate user to authenticate the user.
From this legacy system I need to be able to:
1. Bind to the proxy with credentials I can't change. These look like user
"special-user(a)old.com". (Not a typical DN, looks more like a user principal).
2. Search a particular subtree for users and bind as that user to authenticate.
3. Search another subtree for groups and use an ad-style membership check to determine who
is a user, who is an admin, etc.
I need to be able to authenticate for the searching using the above special user, but the
proxy operation should use a different set of credentials when searching the backend. I
also need to translate subtrees and possibly individual DNs.
This is my (sanitized) slapd.conf:
index objectClass eq
I figured out what I think should be done in translating domains, subtrees, etc.
What I can't figure out is how to accept the "special-user(a)old.com" on the
front and then use another "Service Account" through the backed so I can search
Once the frontend rebinds with the user's credentials, that needs to pass through.
Can anyone help me have a "split personality" when it comes to authentication?
Gary A. Algier
This e-mail message may contain confidential or proprietary information of Mavenir
Systems, Inc. or its affiliates and is intended solely for the use of the intended
recipient(s). If you are not the intended recipient of this message, you are hereby
notified that any review, use or distribution of this information is absolutely prohibited
and we request that you delete all copies in your control and contact us by e-mailing to
security(a)mavenir.com. This message contains the views of its author and may not
necessarily reflect the views of Mavenir Systems, Inc. or its affiliates, who employ
systems to monitor email messages, but make no representation that such messages are
authorized, secure, uncompromised, or free from computer viruses, malware, or other
defects. Thank You
Show replies by date