Re: OpenLDAP as proxy to Active Directory backend

[Bruce Carleton <bruce.carleton@dena.com>]

Jeff,

The basic functionality is there. You can tell OpenLDAP to use SASL
for authentication, against any available SASL mechanism that's
supported on your platform. Part of the story is here:

 http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication

Pay very close attention to paragraph 14.5.1. That little SASL config
file (not part of OpenLDAP) will stop the show if it's not right.

I almost had it working, but I couldn't do it, because I still needed
local LDAP password hashes in my use case. I couldn't get the "{SASL}"
password value to work for some reason. Turning on SASL pass-through
seemed to be an all or nothing choice in my case. You will probably
have to do some work to get it up and running.

Best,

   --Bruce

On Tue, Oct 14, 2014 at 1:46 PM, Jeff Lebo <jeflebo@outlook.com> wrote:
> Goal:  LDAP server in Internet facing DMZ to provide authentication for
> externally hosted applications using internal AD credentials.
>
> I've done a LOT of reading and testing, and there is one thing I am still
> not 100% clear on:
>
> Is it possible to do this WITHOUT having a local user database on the
> OpenLDAP proxy?  We will have thousands of users that will need to
> authenticate, and I can't maintain another user database (adds, removes,
> etc..).  Is there a way to make OpenLDAP just act more like a reverse proxy
> and forward anything that matches a specific domain on to the internal
> LDAP/AD server for password verification?