Re: Proxy to Active Directory

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday 29 August 2008 14:07:11 Andrew Bartlett wrote:
> On Fri, 2008-08-29 at 15:14 +1000, Nazeeruddin Mohammad wrote:
> > Sorry, I couldn't pass the message properly.
> > We want to use openldap, as many services depend on it. However, we want
> > to synchronize LDAP user accounts with that of on AD. This means users
> > need remember only one password
> >
> >
> > I heard that there is possibility of doing this through openldap's proxy
> > feature.
> >
> > Could any enlighten me how to accomplish this? Or, is there any other way
> > of doing this?
> >
> > Here is my sladp.conf snippet
>
> Perhaps put set the userPassword attribute to {SASL}user@AD.DOMAIN and
> have SASL handle the forwarding of the simple binds into kerberos kinit
> requests?
>
> (I did this, to a bundled Heimdal many years ago, I don't know if it
> works how you want however).
>
> Otherwise, perhaps look for a redirection via PAM to winbindd or
> pam_krb5?

There is a feature hidden in ITS that would provide a better solution, 
allowing for authentication to still work if/when AD is unavailable (due to 
network issue, firewall issue etc.).

http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042

However, there has been no discussion on it in the past year.

I have tested it (against a Heimdal kdc), but it kind of defeats the point if 
you can't use hdb_ldap at the same time :-P (and there are issues to be 
resolved to make it work with ppolicy). However, it does work ...


Regards,
Buchan