We run in a mixed environment, with both Active Directory and LDAP directory servers. Some users exist in both LDAP and AD, while some are just in AD. As such, we always have obstacles with password sync between directories.
Is it possible, to set up an OpenLDAP proxy (if that's the correct term), which would authenticate via Active Directory if the user exists there (or if a flag is present in the LDAP entry, etc), otherwise via LDAP if the user is not an AD user, thereby eliminating the need to store the password in both directories? Directory information would otherwise be pulled from the LDAP server, not from Active Directory.
2013/6/12 Jason Brandt jbrandt@fsmail.bradley.edu:
We run in a mixed environment, with both Active Directory and LDAP directory servers. Some users exist in both LDAP and AD, while some are just in AD. As such, we always have obstacles with password sync between directories.
Is it possible, to set up an OpenLDAP proxy (if that's the correct term), which would authenticate via Active Directory if the user exists there (or if a flag is present in the LDAP entry, etc), otherwise via LDAP if the user is not an AD user, thereby eliminating the need to store the password in both directories? Directory information would otherwise be pulled from the LDAP server, not from Active Directory.
You could use pass-trough authentification with SASL. See http://ltb-project.org/wiki/documentation/general/sasl_delegation
Clément.
That appears to be exactly what I was looking for. So, if I used something like: {SASL}user@domain in the userPassword attribute, it would use external auth, whereas if we populated the attribute with the SSHA password, it would still authenticate via LDAP, correct?
Appreciate the help.
On Wed, Jun 12, 2013 at 10:00 AM, Clément OUDOT clem.oudot@gmail.comwrote:
2013/6/12 Jason Brandt jbrandt@fsmail.bradley.edu:
We run in a mixed environment, with both Active Directory and LDAP
directory
servers. Some users exist in both LDAP and AD, while some are just in
AD.
As such, we always have obstacles with password sync between directories.
Is it possible, to set up an OpenLDAP proxy (if that's the correct term), which would authenticate via Active Directory if the user exists there
(or
if a flag is present in the LDAP entry, etc), otherwise via LDAP if the
user
is not an AD user, thereby eliminating the need to store the password in both directories? Directory information would otherwise be pulled from
the
LDAP server, not from Active Directory.
You could use pass-trough authentification with SASL. See http://ltb-project.org/wiki/documentation/general/sasl_delegation
Clément.
2013/6/12 Jason Brandt jbrandt@fsmail.bradley.edu:
That appears to be exactly what I was looking for. So, if I used something like: {SASL}user@domain in the userPassword attribute, it would use external auth, whereas if we populated the attribute with the SSHA password, it would still authenticate via LDAP, correct?
Yes it is correct.
Appreciate the help.
You're welcome.
Clément.
openldap-technical@openldap.org