[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to perform windows domain authentication with openldap

Nick Milas wrote:
On 24/6/2011 10:09 ÎÎ, Dan White wrote:

If that doesn't address your question, please provide additional details,
such as a deployment scenario.

   From what I understand, the scenario seems to be:

    1. The (windows) client is already authenticated against Windows
       Active Directory and logged in a domain.
    2. We have somewhere an OpenLDAP Server running and we want to allow
       access to it to clients already authenticated/logged in the domain
       (i.e. without performing another authentication in OpenLDAP).

How can we do it?

Use Kerberos. You will need to create a Kerberos service principal for the OpenLDAP server in the AD domain. The LDAP clients can then use SASL/GSSAPI with their Windows AD credentials to authenticate to slapd.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/