[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Pass-Through authentication



Hi William,
Maybe I didn't explain myself correctly......
I have no problem in make OpenLDAP work as a consolidation directory for
a single Active Directory Forest, and having SASL  doing the Passthrough
authentication from OpenLdap to the AD Global catalogue.........
What I don't know is how can I do it with multiple AD domain
Controllers. 

Let me give an example :

User: Paulo.Correia
Domain Controller  : AD.cisco.com
UPN : Paulo.Correia@cisco.com

User: William.Brown
Domain Controller: AD. mit.edu
UPN: William.Brown@mit.edu

Now I want to have a single directory in Open LDAP that will have both
of the user and will passthrought the authentication to the original
AD's

# Hernani Correia, Users, cisco.com
dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: Hernani Correia
sn: Correia
givenName: Hernani
userPassword: {SASL}Paulo.Correia@cisco.com
userPrincipalName: Paulo.Correia@cisco.com
mail: Paulo.Correia@cisco.com

# Hernani Correia, Users, cisco.com
dn: CN= William Brown,CN=Users,DC=consolidated,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: William Brown
sn: Brown
givenName: William
userPassword: {SASL}William.Brown@mit.edu
userPrincipalName: William.Brown@mit.edu
mail: William.Brown@mit.edu

My problem is that in the /etc/saslauthd.conf I need to static define a
single or multiple LDAP for the queries :
ldap_servers: ldap://ad-cisco-1.cisco.com
ldap_search_base: dc=cisco,dc=com
ldap_timeout: 10
ldap_filter: sAMAccountName=%u
ldap_bind_dn: cn=Administrator,cn=users,dc=cisco,dc=com
ldap_password: Cisco,123
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

I need to bind based on the domain not a single bind in SASL.

Can you help ?

Paulo



-----Original Message-----
From: Indexer [mailto:indexer@internode.on.net] 
Sent: Monday, November 15, 2010 11:44 AM
To: Paulo Jorge N. Correia (paucorre)
Cc: openldap-technical@openldap.org
Subject: Re: Pass-Through authentication 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:

> Hi all,
> 
> I'm just starting with openLDAP and saslauth, and I'm trying to 
> replicate what I can achieve with ADAM/AD LDS in Windows platform.
> 
> 
> 
> I'm trying to use openldap to aggregate user information from several 
> AD servers under different forests.
> 
> 
> 
> So single point of contact from an LDAP perspective for an 
> organization, and then openldap should pass-through the authentication

> request that receives to the AD DC of the respective user.
> 
> 
> 
> This works well with saslauthd for a single domain, but if I need to 
> do this with multiple domains, I don't know how to configure
saslauthd.

Windows, and AD utilise kerberos. Just treat your AD servers as KRB5
realms, and it works. both MIT and Hemidal can work with this, so
following the passthrough instructions for these will work

Alternatively, you can use AD as an ldap server, but it follows much the
same principals.

http://www.openldap.org/doc/admin24/security.html



> 
> 
> 
> Can someone help ?
> 
> 
> 
> Thank you,
> 
> Paulo
> 

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJM4R0OAAoJEHF16AnLoz6JlK8QAK0YtQX1y6J/yH1dq36zyr0x
p6gA7j6/pWwqzspUcC5srESejrx76Yn9wGOGku3epCu4QwcEtx9MOVPdhmBT9hCk
wXUnvP+4ePpo2wAMvrrkv+K0FfNbAQVJt44zGzrGxRrfSVPqkU+B0nsFYCbxjUF0
NHS3p+XRftqnQNOnsH3aNgB5HDnA5romlq3ikdSyUQRIZpt+BD7ueu07BVG5qhFN
6L/rT8JfLI2X/Liw70LeZg1XifZDyOMXfbaj84Q6JeyObdQidPYXKev9Nlm5CDt/
qOh1ZYTPoUuz7oLRjjNEnHXXiSeGB3DeHxoY+wsgnNd9AnLPKHn4xxFz65DQAUva
LtJxxFpVOE4uTCTx+Sl58v3qfn87CtxX/EdHw1th25E3L+zh3LCfVG9uRApbwYeI
Sb7BH8N7varUnrm1ZoqSZ1EO31jrBNjfqOwXMs7jLJBLlEobPUuX3mk5TehgyrD8
0zLPbaVIzN5Dq/PTG7pT27D/9ABbqTGr0lpridxyDQSzPrBP4Pvx6EdmxqDbuY3n
jDW7F3Xixxg0gPoi+/5A9XO7x0nf3TUnV4s9n3gFiRMAAQWs3gks7kgup/+1Rv7k
NvDoA7D1j3oaxd2/o+moHRA9Ko7xY5NqJuyJVXRUdKFwiohxN+t1mlsqF4X3oFTv
xGxKYpsUBdZMKHONbA7v
=X3CH
-----END PGP SIGNATURE-----