[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapsearch query via OpenLDAP proxy to AD

To: "Lank, Tim" <tim.lank@bearingpoint.com>
Subject: RE: ldapsearch query via OpenLDAP proxy to AD
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 27 Apr 2004 12:00:36 -0700
Cc: <ando@sys-net.it>, <openldap-software@OpenLDAP.org>
In-reply-to: <3D564E73B6DF994EBABD985F4469D539A6264D@kccxoex06.corp.kpmg consulting.com>
References: <3D564E73B6DF994EBABD985F4469D539A6264D@kccxoex06.corp.kpmgconsulting.com>

At 11:13 AM 4/27/2004, Lank, Tim wrote:
>Perhaps I still don't understand.  The username and password that the linux clients would be putting in are the same as their  Active Directory usernames and passwords.  My thought was that I would be able to not have to setup the pam_ldap and nss_ldap  on every linux client, but rather point them at an OpenLDAP server setup as a proxy that will take care of passing these credentials back and forth from the AD to the respective linux clients. 

Whether you point "Linux clients" to slapd(8), MS AD, or some
other LDAP server, or to some LDAP proxy to an LDAP server,
you have to 'configure' the "Linux client" for LDAP-based
login services.  How you do that depends on what form of
Linux login services (PAM/LDAP, NSS/LDAP, other) you intend
to use....  and are topics for forums specific to the
particular form you choose.

>Is this not how it works? 

I think you have some misunderstandings of how Linux login services
work.  Suggest you read up on the topic and, if you have questions,
direct them to a list formed to discuss Linux login services
(or the particular form of Linux login service you choose).

>In order to do authenticate linux clients to the AD, from what you are indicating below, I cannot use OpenLDAP in this way using either back-meta or back-ldap because they cannot pass the original username and password "as-is" over to the AD and the approval or denial back to the originating client.  Please clarify.

slapd(8), I believe, can be used to proxy LDAP simple authentication.
That is, an LDAP client can issue a Bind request with a DN and password
to slapd(8) and have slapd(8) forward, via back-ldap or back-meta,
that request to another LDAP server... and process the response
accordingly.  This you can test with ldapsearch(1).

But note that 'original' Linux username is not a LDAP DN.  So the
'Linux client' has to, if it wants to use LDAP simple authentication,
to transform the Linux username into a LDAP DN.  How it does this,
including any configuration options involving such transformations,
is specific to the particular Linux login services (e.g, PAM/LDAP,
NSS/LDAP, or other) you are using.

Kurt

References:
- RE: ldapsearch query via OpenLDAP proxy to AD
  - From: "Lank, Tim" <tim.lank@bearingpoint.com>

Prev by Date: RE: ldapsearch query via OpenLDAP proxy to AD
Next by Date: RE: ldapsearch query via OpenLDAP proxy to AD
Index(es):
- Chronological
- Thread