I'm trying to setup a way to have bind requests authenticated by logging into an external ldap server. But to make things more complicated, I only want to do it if a certain attribute is defined on the user's entry.
The details: When a user binds, check to see if the 'seeAlso' attribute is defined for the user. If 'seeAlso' is not defined, try to authenticate as normal using the 'userPassword' stored in the local database. If it is defined, 'seeAlso' will contain the DN of the user in another ldap database (Active Directory in this case). Use the seeAlso DN to determine the URI of the ldap db to connect to (right now there is only one Active Directory server, but it would be nice to be able to use different URIs for different suffixes down the road). Attempt to bind to the remote database using the seeAlso DN. If the remote bind succeeds, the local bind also succeeds.
The goal here is to allow users to opt into using their Active Directory password for authentication. No data will be pulled from the remote ldap and overlayed on the local account, it is strictly bind authentication only.
From searching around, I'm not sure what to use to do this. It seems like slapd-ldap and slapo-chain might both do the remote ldap thing, and then I might use slapo-rwn to somehow do a conditional test for the seeAlso attribute and rewrite the bind DN, but I'm not sure. If anyone could tell me if my idea is even possible, and some starting points if so, it would be much appreciated.
On 02/05/11 16:48 -0600, Patrick H. wrote:
I'm trying to setup a way to have bind requests authenticated by logging into an external ldap server. But to make things more complicated, I only want to do it if a certain attribute is defined on the user's entry.
The details: When a user binds, check to see if the 'seeAlso' attribute is defined for the user. If 'seeAlso' is not defined, try to authenticate as normal using the 'userPassword' stored in the local database. If it is defined, 'seeAlso' will contain the DN of the user in another ldap database (Active Directory in this case). Use the seeAlso DN to determine the URI of the ldap db to connect to (right now there is only one Active Directory server, but it would be nice to be able to use different URIs for different suffixes down the road). Attempt to bind to the remote database using the seeAlso DN. If the remote bind succeeds, the local bind also succeeds.
The goal here is to allow users to opt into using their Active Directory password for authentication. No data will be pulled from the remote ldap and overlayed on the local account, it is strictly bind authentication only.
From searching around, I'm not sure what to use to do this. It seems like slapd-ldap and slapo-chain might both do the remote ldap thing, and then I might use slapo-rwn to somehow do a conditional test for the seeAlso attribute and rewrite the bind DN, but I'm not sure. If anyone could tell me if my idea is even possible, and some starting points if so, it would be much appreciated.
What software will be performing the authentication? Is the LDAP protocol exposed to the end user, or are they authenticating to a web server or some such?
Can you accomplish this programatically or via a script? Or is this functionality that has to logically be accomplished within slapd?
Sent: Wed May 04 2011 13:58:44 GMT-0600 (MST) From: Dan White dwhite@olp.net To: Patrick H. openldap-technical@stormcloud9.net openldap-technical@openldap.org Subject: Re: conditional bind authentication against external ldap server
On 02/05/11 16:48 -0600, Patrick H. wrote:
I'm trying to setup a way to have bind requests authenticated by logging into an external ldap server. But to make things more complicated, I only want to do it if a certain attribute is defined on the user's entry.
The details: When a user binds, check to see if the 'seeAlso' attribute is defined for the user. If 'seeAlso' is not defined, try to authenticate as normal using the 'userPassword' stored in the local database. If it is defined, 'seeAlso' will contain the DN of the user in another ldap database (Active Directory in this case). Use the seeAlso DN to determine the URI of the ldap db to connect to (right now there is only one Active Directory server, but it would be nice to be able to use different URIs for different suffixes down the road). Attempt to bind to the remote database using the seeAlso DN. If the remote bind succeeds, the local bind also succeeds.
The goal here is to allow users to opt into using their Active Directory password for authentication. No data will be pulled from the remote ldap and overlayed on the local account, it is strictly bind authentication only.
From searching around, I'm not sure what to use to do this. It seems like slapd-ldap and slapo-chain might both do the remote ldap thing, and then I might use slapo-rwn to somehow do a conditional test for the seeAlso attribute and rewrite the bind DN, but I'm not sure. If anyone could tell me if my idea is even possible, and some starting points if so, it would be much appreciated.
What software will be performing the authentication? Is the LDAP protocol exposed to the end user, or are they authenticating to a web server or some such?
Can you accomplish this programatically or via a script? Or is this functionality that has to logically be accomplished within slapd?
Attempting to authenticate via LDAP bind. Has to be via ldap bind.
openldap-technical@openldap.org
-
Dan White -
Patrick H.