Le 30/03/2017 à 15:27, Curtiss Howard a écrit :
I've got two Active Directory servers that are being proxied through
OpenLDAP and their respective trees are being merged into one. So
far, so good.
Now I want to allow users to bind to the OpenLDAP server and pass the
authentication through to the appropriate AD and let it do the
I see a lot of documentation on using SASL for passthrough, but where
I'm stuck is that this requires every user to have an account in the
OpenLDAP server in order to see if the userPassword attribute is
specially formatted. In my case, this isn't really a palatable
solution because I'm using the OpenLDAP server with the meta backend
and using it as a "live view" into the data contained in the ADs.
Other applications can talk directly to the ADs and in order to do the
SASL approach there'd have to be some syncing from the ADs to the
OpenLDAP server every time a user is created/deleted.
I would think that surely there must be some way to pass through the
authentication in a more obvious manner -- i.e., if the user doesn't
exist locally, try to bind against each proxied server in succession.
But I can't seem to find a way to do this, all references point to the
Is there a way to do this?
as far as I know, you need to have a local entry with a SASL password to
do authentifcation passtrough. I wrote a documentation on that subject:
To synchronize AD entries to OpenLDAP, you can use LSC, see
Consultant en logiciels libres, Expert infrastructure et sécurité
137 boulevard de Magenta - 75010 PARIS