[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as proxy to Active Directory backend

To: Jeff Lebo <jeflebo@outlook.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: OpenLDAP as proxy to Active Directory backend
From: Howard Chu <hyc@symas.com>
Date: Wed, 15 Oct 2014 01:50:02 +0100
In-reply-to: <BAY182-W118D26DF4EFFA3B80B904B1AD0@phx.gbl>
References: <BAY182-W118D26DF4EFFA3B80B904B1AD0@phx.gbl>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a1

Jeff Lebo wrote:

Goal: LDAP server in Internet facing DMZ to provide authentication for
externally hosted applications using internal AD credentials.

I've done a LOT of reading and testing, and there is one thing I am still not
100% clear on:

Is it possible to do this WITHOUT having a local user database on the OpenLDAP
proxy?  We will have thousands of users that will need to authenticate, and I
can't maintain another user database (adds, removes, etc..).  Is there a way
to make OpenLDAP just act more like a reverse proxy and forward anything that
matches a specific domain on to the internal LDAP/AD server for password
verification?

That's exactly what back-ldap does. A couple other posts have already pointedyou to its manpage/documentation. Everything else mentioned so far (SASLpassthrough) is misdirection.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: OpenLDAP as proxy to Active Directory backend
  - From: Jeff Lebo <jeflebo@outlook.com>

References:
- OpenLDAP as proxy to Active Directory backend
  - From: Jeff Lebo <jeflebo@outlook.com>

Prev by Date: Re: OpenLDAP as proxy to Active Directory backend
Next by Date: Re: Segmentation fault in s23_clnt.c when used in a library
Index(es):
- Chronological
- Thread