[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proxy to Active Directory

On Friday 29 August 2008 17:05:52 Michael StrÃder wrote:
> Buchan Milne wrote:
> > There is a feature hidden in ITS that would provide a better solution,

(depending on your requirements)

> > allowing for authentication to still work if/when AD is unavailable (due
> > to network issue, firewall issue etc.).
> >
> > http://www.openldap.org/its/index.cgi/Contrib?id=5042;selectid=5042
> The problem with this approach is that it stores a copy of the password
> within OpenLDAP. Depending on the security policy that's maybe not what
> one wants.

But, the operational policy may require it .... the OpenLDAP administrator is 
the only person who can make/implement that decision, I don't see a reason to 
prevent the administrator from doing this. It is better than a clear-text 
simple bind using the {SASL} feature (which would expose the cleartext 
password that you are trying to protect).