Configuring AD using OpenLDAP

List overview All Threads
Download

newer

older

Forcing UID attribute

No connection! Some Ideas

Vinay Kalkoti

16 Sep 2010 16 Sep '10

5:56 a.m.

Hi,

Is it possible to use OpenLDAP client to authenticate against Active Directory without using Samba or SUF ?

Thanks, Vinay

Show replies by date

Benjamin Griese

17 Sep 17 Sep

2:49 a.m.

hi,

you should ask that question on an OpenLDAP _CLIENT_ mailinglist. :)

bye.

On Thu, Sep 16, 2010 at 14:56, Vinay Kalkoti kalkoti.vinay@gmail.com wrote:

...

Hi,

Is it possible to use OpenLDAP client to authenticate against Active Directory without using Samba or SUF ?

Thanks, Vinay

-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra

Jonathan CLARKE

20 Sep 20 Sep

3:05 a.m.

On 17/09/2010 11:49, Benjamin Griese wrote:

...

you should ask that question on an OpenLDAP _CLIENT_ mailinglist. :)

Just for clarification, this mailing list actually is appropriate, as indicated in the list description at http://www.openldap.org/lists/mm/listinfo/openldap-technical :

"This list is intended for discussion of technical issues related to the use of OpenLDAP Software."

OpenLDAP software includes slapd, the libraries, utilities, tools and sample clients (from http://www.openldap.org).

Jonathan

-- ========================================== Jonathan CLARKE ------------------------------------------ Normation 44 rue Cauchy, 94110 Arcueil, France ------------------------------------------ Telephone: +33 (0)1 83 62 26 96 ------------------------------------------ Web: http://www.normation.com/ ==========================================

Dan White

17 Sep 17 Sep

6:28 a.m.

On 16/09/10 18:26 +0530, Vinay Kalkoti wrote:

...

Hi,

Is it possible to use OpenLDAP client to authenticate against Active Directory without using Samba or SUF ?

Yes. I've seen both GSSAPI and DIGEST-MD5 SASL binds work.

AD (or maybe its DIGEST-MD5 implementation) seems to be picky about PTR records, so you'll want to make sure you can do a 'dig -x <ip address>' against the AD server.

This works for me:

ldapwhoami -Y DIGEST-MD5 -U jsmith -H ldap://ad.example.com SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: jsmith SASL SSF: 128 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Result: Protocol error (2) Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece

Which represents a successful authentication. I guess AD doesn't support the LDAPWHOAMI exop (Windows Server 2003).

-- Dan White

Jonathan CLARKE

20 Sep 20 Sep

3:10 a.m.

On 17/09/2010 15:28, Dan White wrote:

...

On 16/09/10 18:26 +0530, Vinay Kalkoti wrote:

...
Hi,

Is it possible to use OpenLDAP client to authenticate against Active Directory without using Samba or SUF ?

Yes. I've seen both GSSAPI and DIGEST-MD5 SASL binds work.

You can also use plain authentication against AD:

ldapsearch -x -H ldap://ad.server/ -D "username@domain.ext" -W -b "dc=domain,dc=ext"

Yes, the -D option will take the userPrincipalName to bind with. This is a bit of a twist on LDAP authentication, and you can of course just use the plain DN instead, as you would on any other LDAP directory.

A random tip: if your AD forest has several domains in it, you'll want to look into querying a "Global Catalogue". These use port 3268 just as the standard LDAP port, but including data from all domains in the forest.

Hope this helps, Jonathan

5177

Age (days ago)

5181

Last active (days ago)

openldap-technical@openldap.org

4 comments

4 participants

tags (0)

participants (4)

Benjamin Griese
Dan White
Jonathan CLARKE
Vinay Kalkoti