[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Pass-Through authentication

Jonathan and all,
Need your support ..... what should be the configuration of
saslauthd.conf in the case where I have a slapd.conf configuration where
I use a back-meta to aggregate different hdb databases that are
synchronized against AD Domain Controllers.


-----Original Message-----
From: Paulo Jorge N. Correia (paucorre) 
Sent: Tuesday, November 16, 2010 7:01 PM
To: Jonathan Clarke; openldap-technical@openldap.org
Subject: RE: Pass-Through authentication

I decide to follow both of the options, and test which one is better :)

1 - back-meta
2 - change the saslauthd from ldap to Kerberos

Regarding back meta I need help :( In the slapd.conf I have an database
created for back-meta..... ( strange thing is that it didn't worked when
I create a separate conf file per each  database "include
/etc/openldap/slapd_domain1.conf", only working if I add all the
database in the same file as showed below ) No what should I configure
in the saslauthd.conf file..... if I direct ldap_servers how does it
know which AD is associated with each user ?


[root@openam-ldap openldap]# more ../saslauthd.conf
ldap_servers: ldap://localhost
ldap_search_base: dc=cisco,dc=com
ldap_timeout: 10
ldap_filter: uid=%u
ldap_bind_dn: cn=admin,dc=cisco,dc=com
ldap_password: Cisco,123
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind


[root@openam-ldap openldap]# more slapd.conf # # See slapd.conf(5) for
details on configuration options.
# This file should NOT be world readable.

include /etc/openldap/schema/core.schema include
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema include

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

sasl-host       localhost
sasl-secprops   none

database meta
suffix "dc=cisco,dc=com"

uri "ldap://localhost/ou=domain1,dc=cisco,dc=com";
suffixmassage "ou=domain1,dc=cisco,dc=com" "ou=domain1"

uri "ldap://localhost/ou=domain2,dc=cisco,dc=com";
suffixmassage "ou=domain2,dc=cisco,dc=com" "ou=domain2"

database        hdb
suffix "ou=domain1"
directory "/var/lib/ldap/domain1"
rootdn "cn=admin,ou=domain1"
rootpw "Cisco,123"

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uid                               eq,pres,sub

database        hdb
suffix "ou=domain2"
directory "/var/lib/ldap/domain2"
rootdn "cn=admin,ou=domain2"
rootpw "Cisco,123"

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uid                               eq,pres,sub

Thank you,

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Jonathan
Sent: Monday, November 15, 2010 12:13 PM
To: openldap-technical@openldap.org
Subject: Re: Pass-Through authentication

On 14/11/10 18:29, Paulo Jorge N. Correia (paucorre) wrote:
> Hi all,
> I'm just starting with openLDAP and saslauth, and I'm trying to 
> replicate what I can achieve with ADAM/AD LDS in Windows platform.
> I'm trying to use openldap to aggregate user information from several 
> AD servers under different forests.
> So single point of contact from an LDAP perspective for an 
> organization, and then openldap should pass-through the authentication

> request that receives to the AD DC of the respective user.
> This works well with /saslauthd /for a single domain/, but if I need 
> to do this with multiple domains, I don't know how to configure 
> saslauthd./

saslauthd can only launch one LDAP search to find a user and check his
password. So if you're using several AD domains, you need to be able to
perform a single search over all those domains : set up a back-meta with
all the AD forests under it, and point saslauthd at that.