10:58 p.m.
I am trying to develop a ldap client with openldap and cyrus-sasl, there is
one feature that user can directly sign to the ldap server if he is in a
domain.
Does anyone have used openldap like this?
Thanks a lot.
12:09 p.m.
On 24/06/11 13:58 +0800, Jintao Fang wrote:
I am trying to develop a ldap client with openldap and cyrus-sasl,
there is
one feature that user can directly sign to the ldap server if he is in a
domain.
Does anyone have used openldap like this?
Thanks a lot.
If your goal is to simply authenticate a user against an active directory
via ldap, one of these approaches should work (or by using similar
parameters via code):
ldapsearch -Y digest-md5 -U jsmith -H ldap://192.168.1.1 <filter>
kinit jsmith(a)ADDOMAIN.COM
ldapsearch -Y gssapi -H ldap://192.168.1.1 <filter>
The following will also work with saslauthd (/etc/saslauthd.conf):
ldap_servers: ldap://192.168.1.1
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
If that doesn't address your question, please provide additional details,
such as a deployment scenario.
--
Dan White
12:58 a.m.
On 24/6/2011 10:09 μμ, Dan White wrote:
If that doesn't address your question, please provide additional
details,
such as a deployment scenario.
From what I understand, the scenario seems to be:
1. The (windows) client is already authenticated against Windows
Active Directory and logged in a domain.
2. We have somewhere an OpenLDAP Server running and we want to allow
access to it to clients already authenticated/logged in the domain
(i.e. without performing another authentication in OpenLDAP).
How can we do it?
Nick.
2:33 a.m.
On 06/27/2011 08:58 AM, Nick Milas wrote:
On 24/6/2011 10:09 μμ, Dan White wrote:
> If that doesn't address your question, please provide additional
> details,
> such as a deployment scenario.
>
From what I understand, the scenario seems to be:
1. The (windows) client is already authenticated against Windows
Active Directory and logged in a domain.
2. We have somewhere an OpenLDAP Server running and we want to allow
access to it to clients already authenticated/logged in the domain
(i.e. without performing another authentication in OpenLDAP).
How can we do it?
Nick.
Use Kerberos.
R's,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
2:48 a.m.
Nick Milas wrote:
On 24/6/2011 10:09 μμ, Dan White wrote:
> If that doesn't address your question, please provide additional details,
> such as a deployment scenario.
>
From what I understand, the scenario seems to be:
1. The (windows) client is already authenticated against Windows
Active Directory and logged in a domain.
2. We have somewhere an OpenLDAP Server running and we want to allow
access to it to clients already authenticated/logged in the domain
(i.e. without performing another authentication in OpenLDAP).
How can we do it?
Use Kerberos. You will need to create a Kerberos service principal for the
OpenLDAP server in the AD domain. The LDAP clients can then use SASL/GSSAPI
with their Windows AD credentials to authenticate to slapd.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4470
days inactive
4473
days old
openldap-technical@openldap.org
4 comments
5 participants
participants (5)
-
Dan White -
Howard Chu -
Hugo Monteiro -
Jintao Fang -
Nick Milas