[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Proxy to Active Directory



Sorry, I couldn't pass the message properly.
We want to use openldap, as many services depend on it. However, we want to synchronize LDAP user accounts with that of on AD. This means users need remember only one password


I heard that there is possibility of doing this through openldap's proxy feature.

Could any enlighten me how to accomplish this? Or, is there any other way of doing this?

Here is my sladp.conf snippet

database        ldap
suffix          "cn=users,dc=internal,dc=phg,dc=com,dc=au"
subordinate
rebind-as-user
uri             "ldap://192.168.100.100/";
binddn          "CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=land House,OU=Sites,DC=int,DC=phf,DC=com,DC=au"
bindpw          "Mypassword"
chase-referrals yes

Regards
Nazeer
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, 29 August 2008 10:26 AM
To: Nazeeruddin Mohammad
Cc: 'openldap-technical@openldap.org'
Subject: Re: Proxy to Active Directory

Nazeeruddin Mohammad wrote:
> Hi Everyone,
>
> Like many organizations, we have two authentication systems here. I am
> trying to figure out a way of synchronizing LDAP passwords with AD
> passwords; or proxying the requests to AD. Management wants to keep LDAP
> intact, while enjoying the flexibility of single password.

Your management obviously has no idea what they're talking about. AD is not
LDAP so "keeping LDAP intact" is nonsense.

> I have unsuccessfully tried to use proxy functionally of LDAP to get
> user information from AD. First of all, AD needs a user name and
> password to retrieve information. Is there a way of specifying
> username/password? Even the following ldapsearch FAILS on openldap
> server, but the same query works fine for AD server.
>
> ldapsearch -LLL -x -h localhost -b
> 'cn=users,dc=internal,dc=phg,dc=com,dc=au' -D
> "ldapauth@internal.phg.com.au" -W -x

LDAP Simple Bind requests require an LDAPDN. "ldapauth@wherever" is not a DN.
(See RFC4511 and RFC4514. This is one of the things we mean when we say "AD is
not LDAP.")

As for using AD usernames - yes, use an LDAP Sasl Bind instead.

> ldapsearch -LLL -x -h localhost -b 'dc=internal,dc=phg,dc=com,dc=au' -D
> "CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland
> House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" -W -x

--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

***************************************************************************
CAUTION: This email message and accompanying data may contain information 
that is confidential and/or subject to legal privilege. If you are not the 
intended recipient, you are notified that any use, dissemination, 
distribution or copying of this message or data is prohibited. 
If you have received this email message in error, please notify us 
immediately and erase all copies of this message and attachments. Thank you.
***************************************************************************