[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP Proxy for Active Directory Authentication (slapd.d)

To: Howard Chu <hyc@symas.com>, Dan White <dwhite@cafedemocracy.org>
Subject: RE: OpenLDAP Proxy for Active Directory Authentication (slapd.d)
From: Šmucr Jan <Jan.Smucr@aimtec.cz>
Date: Thu, 13 Nov 2014 12:33:58 +0000
Accept-language: cs-CZ, en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <54622B12.8050604@symas.com>
References: <da9e63ceab0545b5b63eab97cb628d58@Mbox02.aimtec.cz> <20141111144136.GA3991@dan.olp.net> <54622B12.8050604@symas.com>
Thread-index: Ac/9kblnsaqKGHmcRM6gBN/o9m3SegAI32OAAAGhYgAAX4IngA==
Thread-topic: OpenLDAP Proxy for Active Directory Authentication (slapd.d)

So... I tried to achieve the objective with using the meta backend with two targets -- local and remote. Now -- how can I configure the server so the request is delegated to the remote server after it fails on the local?

By the way, I gave up my attempts to configure the server using slap.d, as there's simply not enough documentation to it and I don't need to deal with any additional pain at the moment.

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Tuesday, November 11, 2014 4:28 PM
To: Dan White; Šmucr Jan
Cc: openldap-technical@openldap.org
Subject: Re: OpenLDAP Proxy for Active Directory Authentication (slapd.d)

Dan White wrote:
> On 11/11/14 09:50 +0000, Šmucr Jan wrote:
>> User wants to authenticate --> Client (Gerrit 2.9.1) connects to the 
>> local OpenLDAP server --> The OpenLDAP server searches its local 
>> database for a relevant entry
>>
>> *         Entry found --> Inform the client
>>
>> *         Entry not found --> Delegate the request to the remote
>> Active directory server
>>
>> o   Entry found --> Inform the OpenLDAP server --> Inform the client
>>
>> o   Entry not found --> Inform the OpenLDAP server --> Inform the client
>
>> [1] http://ltb-project.org/wiki/documentation/general/sasl_delegation
>
> To work with pass-through authentication, all users will need a valid 
> entry within your OpenLDAP tree. Those you wish to authenticate 
> against active directory will need a userPassword attribute of:
>
> userPassword: {SASL}user@domain

Why do people keep trying to use "pass-through authentication" when the question clearly is about *proxying*. back-ldap and back-meta exist for proxying. This was just answered a few weeks ago.

http://www.openldap.org/lists/openldap-technical/201410/msg00078.html

The obvious solution here is a local database with back-meta in front of it. The back-meta instance can be pointed at both the remote AD server and the local server and will automatically search both DBs to find a user's account (when performing a search request) and then the following Bind request will just do the right thing.

Use the right tool for the job. pass-through authentication is not the solution for a proxying task.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- OpenLDAP Proxy for Active Directory Authentication (slapd.d)
  - From: Šmucr Jan <Jan.Smucr@aimtec.cz>
- Re: OpenLDAP Proxy for Active Directory Authentication (slapd.d)
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP Proxy for Active Directory Authentication (slapd.d)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: questions on overlay sssvlv
Next by Date: Re: adding VLV support to OpenLDAP 2.4.31
Index(es):
- Chronological
- Thread