[Date Prev][Date Next]
conditional bind authentication against external ldap server
I'm trying to setup a way to have bind requests authenticated by logging
into an external ldap server. But to make things more complicated, I
only want to do it if a certain attribute is defined on the user's entry.
When a user binds, check to see if the 'seeAlso' attribute is defined
for the user.
If 'seeAlso' is not defined, try to authenticate as normal using the
'userPassword' stored in the local database.
If it is defined, 'seeAlso' will contain the DN of the user in another
ldap database (Active Directory in this case).
Use the seeAlso DN to determine the URI of the ldap db to connect to
(right now there is only one Active Directory server, but it would be
nice to be able to use different URIs for different suffixes down the road).
Attempt to bind to the remote database using the seeAlso DN. If the
remote bind succeeds, the local bind also succeeds.
The goal here is to allow users to opt into using their Active Directory
password for authentication. No data will be pulled from the remote ldap
and overlayed on the local account, it is strictly bind authentication only.
From searching around, I'm not sure what to use to do this. It seems
like slapd-ldap and slapo-chain might both do the remote ldap thing, and
then I might use slapo-rwn to somehow do a conditional test for the
seeAlso attribute and rewrite the bind DN, but I'm not sure.
If anyone could tell me if my idea is even possible, and some starting
points if so, it would be much appreciated.