[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP authenticate the username/password with MS-AD?



On 18/07/10 23:52 +0600, OSHIM wrote:
What we want to achieve is user using services like OpenVPN, webproxy,
emails, file sharing, etc will only need to remember their MS AD password
and they will be able to login to the corresponding services they are
entitle to used. In order to do so, we will need to configure OpenLDAP on
Linux to authenticate with MS AD server. OpenLDAP will contain the user
information but authentication will come from MS AD.

You've presented a list of software that just aren't going to work the same
way. There's no consistent approach to how software uses LDAP to
authenticate users.

You're going to need to do some research and find out how each package
performs authentication:

1. Does the software directly bind to the LDAP server using the provided
user credentials, and use the result as a yes/no determination of whether
the user is authenticated.

2. If so, does it bind using SASL?

3. If not, does it bind to the server using a privileged account to
retrieve the user's DN. Does it then perform a second bind to the LDAP
server?

4. If not, does it simply use LDAP as a password database, retrieving the
user's credentials via a privileged account and then acting on the
retrieved password?

5. Something else? If it can't use LDAP, can it use PAM?

--
Dan White