Curtiss Howard wrote: > Hi, > > I've got two Active Directory servers that are being proxied through > OpenLDAP > and their respective trees are being merged into one. So far, so good. > > Now I want to allow users to bind to the OpenLDAP server and pass the > authentication through to the appropriate AD and let it do the password > checking. > > I see a lot of documentation on using SASL for passthrough, but where I'm > stuck is that this requires every user to have an account in the OpenLDAP > server in order to see if the userPassword attribute is specially > formatted. > In my case, this isn't really a palatable solution because I'm using the > OpenLDAP server with the meta backend and using it as a "live view" into > the > data contained in the ADs. Other applications can talk directly to the > ADs > and in order to do the SASL approach there'd have to be some syncing from > the > ADs to the OpenLDAP server every time a user is created/deleted. > > I would think that surely there must be some way to pass through the > authentication in a more obvious manner -- i.e., if the user doesn't exist > locally, try to bind against each proxied server in succession. But I > can't > seem to find a way to do this, all references point to the SASL approach. > > Is there a way to do this? > Just use slapo-pbind.