On Fri, Mar 31, 2017 at 12:47 PM, Howard Chu <hyc(a)symas.com> wrote:
Curtiss Howard wrote:
> I've got two Active Directory servers that are being proxied through
> and their respective trees are being merged into one. So far, so good.
> Now I want to allow users to bind to the OpenLDAP server and pass the
> authentication through to the appropriate AD and let it do the password
> I see a lot of documentation on using SASL for passthrough, but where I'm
> stuck is that this requires every user to have an account in the OpenLDAP
> server in order to see if the userPassword attribute is specially
> In my case, this isn't really a palatable solution because I'm using the
> OpenLDAP server with the meta backend and using it as a "live view" into
> data contained in the ADs. Other applications can talk directly to the
> and in order to do the SASL approach there'd have to be some syncing from
> ADs to the OpenLDAP server every time a user is created/deleted.
> I would think that surely there must be some way to pass through the
> authentication in a more obvious manner -- i.e., if the user doesn't exist
> locally, try to bind against each proxied server in succession. But I
> seem to find a way to do this, all references point to the SASL approach.
> Is there a way to do this?
Just use slapo-pbind.
Ah nice, this sounds more like it. However, I have two AD servers that I'm
proxying -- is there a concept of using this overlay multiple times?