[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Use OpenLDAP for some users and as a proxy for another set of users?



Le 26/05/2016 15:38, Siebrand Mazeland a écrit :
Hi. I'm a first time poster, new to OpenLDAP, and I have identified this list as the (hopefully) best place for my question.
I have an Active Directory that contains accounts and groups for employees. Besides that, there is a group of around 1000 people that also need to authenticated and authorized (based on group membership). I'm trying to assess if OpenLDAP can be used for a scenario to avoid Windows CAL license costs.
Is it possible to administer and authenticate the non-employees in OpenLDAP, and proxy requests about users that are not found in OpenLDAP to an AD? The information needed by the applications using OpenLDAP would be UPN, sAMAccountName, email address and group membership of the authenticated users.
If this can be accomplished with OpenLDAP, that would a) be very nice, and b) I would like you to explain this in brief here, and approach me off-list to help me accomplish this. If there's no ready-made recipe for this, and it can be done, I'm willing to publish the configuration so others can benefit from the work, too. 



Hi,
I usualy solve this kind of problem by syncing AD users in OpenLDAP with LSC (http://www.lsc-project.org) and use then SASL delegation to authenticate AD users (password is kept in AD): http://ltb-project.org/wiki/documentation/general/sasl_delegation 

Hope it helps,

--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot