Re: How can OpenLDAP client process on FreeBSD authenticate a web user with active directory

[Dieter KlÃnter <dieter@dkluenter.de>]

Am Wed, 12 Jun 2013 16:23:00 +0800
schrieb Ganesh Borse <bganesh05@gmail.com>:

> Dear Friends
> 
> I am new to OpenLDAP. We are migrating our application (integrated
> with webserver) from Windows to FreeBSD.
> 
> However, this is adding a bit of a problem. Previously, I used
> Microsoft SSPI authentication loop mechanism to authenticate the
> users connecting from GUI client (launched from computers in MS
> active directory) to our application. AD authentication helped avoid
> maintaining separate passwords.
> 
> Now, since we are moving to FreeBSD and web based interface, it is
> difficult to use the same SSPI mechanism and so, the users connecting
> to this application from web browser can be authenticated using the AD
> credentials.
> 
> The function ldap_bind_s requires explicit password when connecting to
> directory server using a username other than logged in user.
> 
> Also, pass-through authentication mechanism (14.5) outlined in
> OpenLDAP-Admin-Guide cannot be used as it is for slapd.
> 
> Thus, can you please help me know, how can I authenticate a user
> configured in AD and connecting from web browser running on a
> computer in AD using openLDAP client on FreeBSD? I want to avoid
> maintaining or passing passwords on FreeBSD.

You may either direct you web application for authentication and
authorization to active directory, or uns a ldap proxy to connect to
active directory. You may want to read man slapd-ldap(5) for further
information.

-Dieter
-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E