[Date Prev][Date Next]
Re: conditional bind authentication against external ldap server
On 02/05/11 16:48 -0600, Patrick H. wrote:
I'm trying to setup a way to have bind requests authenticated by
logging into an external ldap server. But to make things more
complicated, I only want to do it if a certain attribute is defined
on the user's entry.
When a user binds, check to see if the 'seeAlso' attribute is defined
for the user.
If 'seeAlso' is not defined, try to authenticate as normal using the
'userPassword' stored in the local database.
If it is defined, 'seeAlso' will contain the DN of the user in
another ldap database (Active Directory in this case).
Use the seeAlso DN to determine the URI of the ldap db to connect to
(right now there is only one Active Directory server, but it would be
nice to be able to use different URIs for different suffixes down the
Attempt to bind to the remote database using the seeAlso DN. If the
remote bind succeeds, the local bind also succeeds.
The goal here is to allow users to opt into using their Active
Directory password for authentication. No data will be pulled from
the remote ldap and overlayed on the local account, it is strictly
bind authentication only.
From searching around, I'm not sure what to use to do this. It seems
like slapd-ldap and slapo-chain might both do the remote ldap thing,
and then I might use slapo-rwn to somehow do a conditional test for
the seeAlso attribute and rewrite the bind DN, but I'm not sure.
If anyone could tell me if my idea is even possible, and some
starting points if so, it would be much appreciated.
What software will be performing the authentication? Is the LDAP protocol
exposed to the end user, or are they authenticating to a web server or some
Can you accomplish this programatically or via a script? Or is this
functionality that has to logically be accomplished within slapd?