Hi,
I'm new to OpenLDAP, I've been reading documentation for some time but cannot figure out whether there is solution.
We have many products in our company that are using sAMAccountName (from Active Directory server) as login credentials for authentication purpose. Now we have an additional requirement to support authentication of users from another Active Directory server. Since many products do not allow to specify more than one LDAP server the idea is to configure OpenLDAP proxy that will then forward requests to either AD servers. Nevertheless the format of login credentials has to stay the same. So the final goal is to be able to authenticate users of both AD directories via binding against OpenLDAP proxy using sAMAccountName (can add some other data in DN but it has to be static).
1. Can OpenLDAP be configured to accept sAMAccountName and domain as bind DN and then forward it to either AD servers depending on domain name? 2. If not, can OpenLDAP be configured to perform search (including filtering by sAMAccountName field) behind the scenes and then bind by using DN of a found user?-> all this happens when user tries to bind against OpenLDAP proxy 3. Any other solutions?
BR, Martins
Hi,
You can accomplish what you desire with the OpenLDAP meta backend and saslauthd.
Full instructions on this page.
https://ltb-project.org/documentation/general/sasl_delegation
-mike
On Fri, Nov 10, 2017 at 2:22 PM, Mārtiņš Mieriņš martins.mierins@gmail.com wrote:
Hi,
I'm new to OpenLDAP, I've been reading documentation for some time but cannot figure out whether there is solution.
We have many products in our company that are using sAMAccountName (from Active Directory server) as login credentials for authentication purpose. Now we have an additional requirement to support authentication of users from another Active Directory server. Since many products do not allow to specify more than one LDAP server the idea is to configure OpenLDAP proxy that will then forward requests to either AD servers. Nevertheless the format of login credentials has to stay the same. So the final goal is to be able to authenticate users of both AD directories via binding against OpenLDAP proxy using sAMAccountName (can add some other data in DN but it has to be static).
- Can OpenLDAP be configured to accept sAMAccountName and domain as
bind DN and then forward it to either AD servers depending on domain name? 2. If not, can OpenLDAP be configured to perform search (including filtering by sAMAccountName field) behind the scenes and then bind by using DN of a found user?-> all this happens when user tries to bind against OpenLDAP proxy 3. Any other solutions?
BR, Martins
openldap-technical@openldap.org