[Date Prev][Date Next]
Re: Using AD authentication with an external LDAP for authorization
On Monday 08 December 2008 15:15:44 Andrew Findlay wrote:
> On Mon, Dec 08, 2008 at 11:31:21AM +0000, Stefan Stefansson wrote:
> > 2) LDAP server would
> > delegate authentication for users it cannot authenticate to the AD
> > server but otherwise it would handle the users it knows.
> That may be easier - for one thing you do not need to do anything
> scary to the central AD servers. See 'Pass-Through Authentication'
> in the Admin Guide:
> In principle you could use either LDAP or Kerberos access to the
> AD domain to implement this, though I think LDAP would be easier.
> It is also worth looking at the contributed slapd modules, as I think
> there is one that delegates authentication to a remote AD and then
> builds a local entry if the password is OK. smbk5pwd perhaps?
No, adpwc, which is stuck in ITS (#5042).
Depending on the exact requirements, bi-directional Kerberos trusts could also
be a solution here.