How can OpenLDAP client process on FreeBSD authenticate a web user with active directory
Dear Friends
I am new to OpenLDAP. We are migrating our application (integrated with webserver) from Windows to FreeBSD.
However, this is adding a bit of a problem. Previously, I used Microsoft SSPI authentication loop mechanism to authenticate the users connecting from GUI client (launched from computers in MS active directory) to our application. AD authentication helped avoid maintaining separate passwords.
Now, since we are moving to FreeBSD and web based interface, it is difficult to use the same SSPI mechanism and so, the users connecting to this application from web browser can be authenticated using the AD credentials.
The function ldap_bind_s requires explicit password when connecting to directory server using a username other than logged in user.
Also, pass-through authentication mechanism (14.5) outlined in OpenLDAP-Admin-Guide cannot be used as it is for slapd.
Thus, can you please help me know, how can I authenticate a user configured in AD and connecting from web browser running on a computer in AD using openLDAP client on FreeBSD? I want to avoid maintaining or passing passwords on FreeBSD.
Many thanks in advance for your time and help.
Thanks and Regards, - ganesh
Am Wed, 12 Jun 2013 16:23:00 +0800 schrieb Ganesh Borse bganesh05@gmail.com:
Dear Friends
I am new to OpenLDAP. We are migrating our application (integrated with webserver) from Windows to FreeBSD.
However, this is adding a bit of a problem. Previously, I used Microsoft SSPI authentication loop mechanism to authenticate the users connecting from GUI client (launched from computers in MS active directory) to our application. AD authentication helped avoid maintaining separate passwords.
Now, since we are moving to FreeBSD and web based interface, it is difficult to use the same SSPI mechanism and so, the users connecting to this application from web browser can be authenticated using the AD credentials.
The function ldap_bind_s requires explicit password when connecting to directory server using a username other than logged in user.
Also, pass-through authentication mechanism (14.5) outlined in OpenLDAP-Admin-Guide cannot be used as it is for slapd.
Thus, can you please help me know, how can I authenticate a user configured in AD and connecting from web browser running on a computer in AD using openLDAP client on FreeBSD? I want to avoid maintaining or passing passwords on FreeBSD.
You may either direct you web application for authentication and authorization to active directory, or uns a ldap proxy to connect to active directory. You may want to read man slapd-ldap(5) for further information.
-Dieter
Hi Dieter
Thanks for this quick guidance.
Yes, I will try to use ldap proxy, I think which will be nothing but slapd-ldap.
Is there any way to integrate this proxy in my application process (a C++ process)? This is because depending on success or failure of this authentication process our application need to allow the user to perform the actions over web connection.
Thanks, - ganesh
On Wed, Jun 12, 2013 at 4:57 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 12 Jun 2013 16:23:00 +0800 schrieb Ganesh Borse bganesh05@gmail.com:
Dear Friends
I am new to OpenLDAP. We are migrating our application (integrated with webserver) from Windows to FreeBSD.
However, this is adding a bit of a problem. Previously, I used Microsoft SSPI authentication loop mechanism to authenticate the users connecting from GUI client (launched from computers in MS active directory) to our application. AD authentication helped avoid maintaining separate passwords.
Now, since we are moving to FreeBSD and web based interface, it is difficult to use the same SSPI mechanism and so, the users connecting to this application from web browser can be authenticated using the AD credentials.
The function ldap_bind_s requires explicit password when connecting to directory server using a username other than logged in user.
Also, pass-through authentication mechanism (14.5) outlined in OpenLDAP-Admin-Guide cannot be used as it is for slapd.
Thus, can you please help me know, how can I authenticate a user configured in AD and connecting from web browser running on a computer in AD using openLDAP client on FreeBSD? I want to avoid maintaining or passing passwords on FreeBSD.
You may either direct you web application for authentication and authorization to active directory, or uns a ldap proxy to connect to active directory. You may want to read man slapd-ldap(5) for further information.
-Dieter
Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
Ganesh Borse wrote:
I am new to OpenLDAP. We are migrating our application (integrated with webserver) from Windows to FreeBSD.
However, this is adding a bit of a problem. Previously, I used Microsoft SSPI authentication loop mechanism to authenticate the users connecting from GUI client (launched from computers in MS active directory) to our application. AD authentication helped avoid maintaining separate passwords.
Now, since we are moving to FreeBSD and web based interface, it is difficult to use the same SSPI mechanism and so, the users connecting to this application from web browser can be authenticated using the AD credentials.
You should rather try to learn about WebSSO with SPNEGO/Kerberos. Personally I have configured CAS with SPNEGO/Kerberos and LDAP fallback for password checking for some customers. There might be other decent WebSSO implementations with support for that.
But this is highly off-topic here. So don't follow up on OpenLDAP lists.
Ciao, Michael.
What I am looking for is somewhat similar to openldap proxy for AD.
What I did not understand is how a separate process running on the same computer request the slapd daemon to perform the authentication of various users?
Will the client process be connected to AD using ldap_bind_s and also communicate with slapd to pass user details to authenticate?
Thanks,
On Thu, Jun 13, 2013 at 1:18 AM, Michael Ströder michael@stroeder.comwrote:
Ganesh Borse wrote:
I am new to OpenLDAP. We are migrating our application (integrated with webserver) from Windows to FreeBSD.
However, this is adding a bit of a problem. Previously, I used Microsoft SSPI authentication loop mechanism to authenticate the users connecting from GUI client (launched from computers in MS active directory) to our application. AD authentication helped avoid maintaining separate
passwords.
Now, since we are moving to FreeBSD and web based interface, it is difficult to use the same SSPI mechanism and so, the users connecting to this application from web browser can be authenticated using the AD credentials.
You should rather try to learn about WebSSO with SPNEGO/Kerberos. Personally I have configured CAS with SPNEGO/Kerberos and LDAP fallback for password checking for some customers. There might be other decent WebSSO implementations with support for that.
But this is highly off-topic here. So don't follow up on OpenLDAP lists.
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Klünter -
Ganesh Borse -
Michael Ströder