Re: How can OpenLDAP client process on FreeBSD authenticate a web user w

Re: How can OpenLDAP client process on FreeBSD authenticate a web user with active directory

To: openldap-technical@openldap.org

Subject: Re: How can OpenLDAP client process on FreeBSD authenticate a web user with active directory

From: Ganesh Borse <bganesh05@gmail.com>

Date: Thu, 13 Jun 2013 09:54:46 +0800

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=hW5MHk/0n/XrA/B170BPUosMRIvUcsoR1yufc8T3Lmw=; b=CNzGir708aXGEPmU9irmRgxgxOH1z5Uqj5rHGMoANtmcffCV3YmxyZ8hMwY19i90z+ UGyzUYPSo7TpAm59cMHfEZteAG8jmA0ZiXAKDRi3+HMfTHf1x3J316BY+g9ftwV6f+aN GT8F9/rzzyx6BuS7CRR1RojPI5idmjNFFvmoKdvfmGr/CV8ePGuiL6tWTUMl0cPxu3Ec mlnFPjPBPpUpOAdGyBmPxLQxFAV20CPKysY5vM7WJXEnzb8eKWgQaLys8Z/Lm/gTO/v9 OCFO0EqGSt/sn/NFjWQgN75e1S7ArCZ7jKbEZvSFWebm3KX7PR/Jag/VbNBxjfrzhrDg o7JQ==

In-reply-to: <51B8AD81.4090301@stroeder.com>

References: <CAEhYC0FKMxU+z8oBWKvamFOff5w1-yEWmGYzJp9pehNBaQQCJQ@mail.gmail.com> <51B8AD81.4090301@stroeder.com>

What I am looking for is somewhat similar to openldap proxy for AD.

What I did not understand is how a separate process running on the same computer request the slapd daemon to perform the authentication of various users?

Will the client process be connected to AD using ldap_bind_s and also communicate with slapd to pass user details to authenticate?

Thanks,

On Thu, Jun 13, 2013 at 1:18 AM, Michael Ströder <michael@stroeder.com> wrote:

Ganesh Borse wrote:
> I am new to OpenLDAP. We are migrating our application (integrated with
> webserver) from Windows to FreeBSD.
>
> However, this is adding a bit of a problem. Previously, I used Microsoft
> SSPI authentication loop mechanism to authenticate the users connecting
> from GUI client (launched from computers in MS active directory) to our
> application. AD authentication helped avoid maintaining separate passwords.
>
> Now, since we are moving to FreeBSD and web based interface, it is
> difficult to use the same SSPI mechanism and so, the users connecting to
> this application from web browser can be authenticated using the AD
> credentials.

You should rather try to learn about WebSSO with SPNEGO/Kerberos. Personally I
have configured CAS with SPNEGO/Kerberos and LDAP fallback for password
checking for some customers. There might be other decent WebSSO
implementations with support for that.

But this is highly off-topic here. So don't follow up on OpenLDAP lists.

Ciao, Michael.