Hi,
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
Thanks and Best regards,
Phạm Tùng Dương
How about using ldapsearch with binddn and bindpw set with the user credentials and do a search for that user.
If an incorrect password is supplied, you won't/shouldn't get a valid reply.
Peter
On Fri, 2009-02-13 at 16:54 +0700, Duong Pham Tung wrote:
Hi,
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
Thanks and Best regards,
Phạm Tùng Dương
But if using it, you must query directly to AD server from apps instead of querying to OpenLDAP. In my security context, it is forbidden.
-----Original Message----- From: openldap-technical-bounces+duongpt3=fpt.com.vn@OpenLDAP.org [mailto:openldap-technical-bounces+duongpt3=fpt.com.vn@OpenLDAP.org] On Behalf Of Peter Gordon Sent: 13 tháng hai 2009 5:05 CH To: Duong Pham Tung Cc: openldap-technical@openldap.org Subject: Re: Can OpenLDAP get password from AD
How about using ldapsearch with binddn and bindpw set with the user credentials and do a search for that user.
If an incorrect password is supplied, you won't/shouldn't get a valid reply.
Peter
On Fri, 2009-02-13 at 16:54 +0700, Duong Pham Tung wrote:
Hi,
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
Thanks and Best regards,
Ph?m Tùng Duong
Le Fri, 13 Feb 2009 16:54:36 +0700, "Duong Pham Tung" duongpt3@fpt.com.vn a écrit :
Hi,
Hi,
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
OpenLDAP can delegate authentication on other LDAP server, using SASL mechanism. In practice, in your LDAP account information on server A, your have some information in the your password field that tell OpenLDAP how it can replay user authentication on an other LDAP server B. This work perfectly with Active Directory. You have to compile OpenLDAP with cyrus-sasl.
Maybe it can solve your problem.
Cheers, Thomas.
On 13.02.2009 10:54, Duong Pham Tung wrote:
Hi,
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can't get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
Thanks and Best regards,
Pha.m Tùng Du+o+ng
Hi,
You could use saslauthd to perform bind operations against the AD server. See http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
Jonathan
On Fri, Feb 13, 2009 at 04:54:36PM +0700, Duong Pham Tung wrote:
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
This requirement comes up on the mailing lists quite often, so you would do well to search the archives.
The first thing to understand is that you *cannot* extract password data from AD because it is not there. AD defers authentication to Kerberos, which does not store a usable password either.
There are several ways around the problem. One is to use pass-through authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
Other possibilities are:
Use back-meta and slapo-rwm to make your AD namespace look like the one you want for LDAP.
Use one of the contributed overlays that do password callouts (either to LDAP or directly to Kerberos) and store the password in OpenLDAP if it is correct. There are at least two choices here, but I don't think either has been rolled into the OpenLDAP distribution yet so you would have to build them yourself.
You may also want to look at systems to capture passwords on AD when they are changed. There are several packages that do that by pretending to be password quality checkers. Microsoft ship one as part of SFU, there is a free one on Sourceforge, and most commercial directory synchronisation products have them.
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Duong Pham Tung -
Jonathan Clarke -
Peter Gordon -
Thomas Chemineau