On 05/29/2017 10:48 AM, Andreas Hasenack wrote:
On Mon, May 29, 2017 at 11:36 AM, Alexandre Rosenberg
<arekkusu(a)r42.ch
<mailto:arekkusu@r42.ch>> wrote:
Hello,
I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user
group, unix group (...)
I would like to keep everything the same except that when the user
bind to OpenLDAP the credential should be checked against Active
Directory.
There is no need to retrieve/return any information from Active
Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be
performed against the AD but the search result should from
OpenLDAP. (anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01
long username: john.smith(a)example.com
<mailto:john.smith@example.com>
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to
AD, only the "DN" is simply set to the username.
john.smith(a)example.com <mailto:john.smith@example.com>
I am starting to seriously look at the various OpenLDAP overlay
and proxy functionality but I am a bit confused on how to archive
this.
Have you looked into authenticating using GSSAPI (kerberos)? Your AD
is your kerberos server. Then all you need is an openldap service user
in AD and you are done.
If you have ACLs in openldap that rely on the openldap-stored user DN
(uid=john01, ...), you can use authz-regexp to map the kerberos sasl
entity to that probably.
+1 That's exactly how we do it here, and it works great. If you're not
familiar with Kerberos yet, take the time to learn it - it's not that
hard to learn, and it's time well spent.
Also, if you're going to be using AD for Kerberos in a Linux
environment, you might want to know about the msktutil, which is a like
ktutil, but works with AD Kerberos servers:
https://sourceforge.net/projects/msktutil/
--
Prentice