[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proxy to Active Directory

Nazeeruddin Mohammad wrote:
Hi Everyone,

Like many organizations, we have two authentication systems here. I am
trying to figure out a way of synchronizing LDAP passwords with AD
passwords; or proxying the requests to AD. Management wants to keep LDAP
intact, while enjoying the flexibility of single password.

Your management obviously has no idea what they're talking about. AD is not LDAP so "keeping LDAP intact" is nonsense.

I have unsuccessfully tried to use proxy functionally of LDAP to get
user information from AD. First of all, AD needs a user name and
password to retrieve information. Is there a way of specifying
username/password? Even the following ldapsearch FAILS on openldap
server, but the same query works fine for AD server.

ldapsearch -LLL -x -h localhost -b
'cn=users,dc=internal,dc=phg,dc=com,dc=au' -D
"ldapauth@internal.phg.com.au" -W –x

LDAP Simple Bind requests require an LDAPDN. "ldapauth@wherever" is not a DN. (See RFC4511 and RFC4514. This is one of the things we mean when we say "AD is not LDAP.")

As for using AD usernames - yes, use an LDAP Sasl Bind instead.

ldapsearch -LLL -x -h localhost -b 'dc=internal,dc=phg,dc=com,dc=au' -D
"CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland
House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" -W –x

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/