Re: How to perform windows domain authentication with openldap

[Howard Chu <hyc@symas.com>]

Nick Milas wrote:
> On 24/6/2011 10:09 ÎÎ, Dan White wrote:
>
> > If that doesn't address your question, please provide additional details,
> > such as a deployment scenario.
>
>    From what I understand, the scenario seems to be:
>
>     1. The (windows) client is already authenticated against Windows
>        Active Directory and logged in a domain.
>     2. We have somewhere an OpenLDAP Server running and we want to allow
>        access to it to clients already authenticated/logged in the domain
>        (i.e. without performing another authentication in OpenLDAP).
>
> How can we do it?

Use Kerberos. You will need to create a Kerberos service principal for the 
OpenLDAP server in the AD domain. The LDAP clients can then use SASL/GSSAPI 
with their Windows AD credentials to authenticate to slapd.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/