[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP authenticate the username/password with MS-AD?



anyone can help me out

test:~# testsaslauthd -u swioshim -p Test2010
0: NO "authentication failed"

why authentication failed?


On Jul 19, 2010, at 12:57 AM, Dan White wrote:

> On 18/07/10 23:52 +0600, OSHIM wrote:
>> What we want to achieve is user using services like OpenVPN, webproxy,
>> emails, file sharing, etc will only need to remember their MS AD password
>> and they will be able to login to the corresponding services they are
>> entitle to used. In order to do so, we will need to configure OpenLDAP on
>> Linux to authenticate with MS AD server. OpenLDAP will contain the user
>> information but authentication will come from MS AD.
> 
> You've presented a list of software that just aren't going to work the same
> way. There's no consistent approach to how software uses LDAP to
> authenticate users.
> 
> You're going to need to do some research and find out how each package
> performs authentication:
> 
> 1. Does the software directly bind to the LDAP server using the provided
> user credentials, and use the result as a yes/no determination of whether
> the user is authenticated.
> 
> 2. If so, does it bind using SASL?
> 
> 3. If not, does it bind to the server using a privileged account to
> retrieve the user's DN. Does it then perform a second bind to the LDAP
> server?
> 
> 4. If not, does it simply use LDAP as a password database, retrieving the
> user's credentials via a privileged account and then acting on the
> retrieved password?
> 
> 5. Something else? If it can't use LDAP, can it use PAM?
> 
> -- 
> Dan White