Hi all,
We want to setup a Openldap server which is a slave to our Active directory. The ldap server only has to do replication of the necessary records to act as a address book for non Exchange users.
Further more the authentication has to be done against the users in the Active directory.
I found some guides/examples to set up the authentication part. But none of them seems to do want we want because it requires to have the user in your Openldap server with a special "userPassword {SASL}user@domain.com" entry. But we want the openldap database to only contain contact information and not username/password information.
Does anybody know how to set up such a thing and can give me some hints/guides/recipes on how to do this?
Thanks, Marco.
2012/12/14 Marco van Putten marco.vanputten@tudelft.nl:
Hi all,
We want to setup a Openldap server which is a slave to our Active directory. The ldap server only has to do replication of the necessary records to act as a address book for non Exchange users.
Further more the authentication has to be done against the users in the Active directory.
I found some guides/examples to set up the authentication part. But none of them seems to do want we want because it requires to have the user in your Openldap server with a special "userPassword {SASL}user@domain.com" entry. But we want the openldap database to only contain contact information and not username/password information.
Does anybody know how to set up such a thing and can give me some hints/guides/recipes on how to do this?
You should take a look to LSC project: http://lsc-project.org/wiki/documentation/2.0/start
Clément.
On 14/12/12 15:54, Clément OUDOT wrote:
2012/12/14 Marco van Putten marco.vanputten@tudelft.nl:
Hi all,
We want to setup a Openldap server which is a slave to our Active directory. The ldap server only has to do replication of the necessary records to act as a address book for non Exchange users.
Further more the authentication has to be done against the users in the Active directory.
I found some guides/examples to set up the authentication part. But none of them seems to do want we want because it requires to have the user in your Openldap server with a special "userPassword {SASL}user@domain.com" entry. But we want the openldap database to only contain contact information and not username/password information.
Does anybody know how to set up such a thing and can give me some hints/guides/recipes on how to do this?
You should take a look to LSC project: http://lsc-project.org/wiki/documentation/2.0/start
Clément.
Thanks for your quick response. I'll look into it.
Marco.
On 12/14/12 15:33 +0100, Marco van Putten wrote:
Hi all,
We want to setup a Openldap server which is a slave to our Active directory. The ldap server only has to do replication of the necessary records to act as a address book for non Exchange users.
Further more the authentication has to be done against the users in the Active directory.
You can use use slapo-pbind or slapd-ldap to forward simple binds to active directory. If you're performing sasl binds, you could configure slapd to use saslauthd to authenticate PLAIN sasl binds against active directory:
~$ cat /etc/saslauthd.conf
ldap_servers: ldap://192.0.2.5 ldap_use_sasl: yes ldap_mech: DIGEST-MD5
or you could configure saslauthd to use its kerberos5 backend.
I found some guides/examples to set up the authentication part. But none of them seems to do want we want because it requires to have the user in your Openldap server with a special "userPassword {SASL}user@domain.com" entry. But we want the openldap database to only contain contact information and not username/password information.
Does anybody know how to set up such a thing and can give me some hints/guides/recipes on how to do this?
openldap-technical@openldap.org
-
Clément OUDOT -
Dan White -
Marco van Putten