[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Question regarding using OpenLDAP as a proxy to multiple AD servers
- To: Mārtiņš Mieriņš <martins.mierins@gmail.com>
- Subject: Re: Question regarding using OpenLDAP as a proxy to multiple AD servers
- From: MJ J <mikedotjackson@gmail.com>
- Date: Sat, 11 Nov 2017 14:33:09 +0200
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BfosbeMxJI/ACMTU0jv+CFm+AFLrgXqrdE1y7UPcBWY=; b=SHQDacENMDyPgbduMAqg61YkGiN1Uw5K++Ldn+Xi6yefG82o5JVzFyS5ZIYsslqESa LKB34BJO20FHWPPCy8KDAS9DccNa9kgQF9LowpgJKPn/PNbJITq6CyW2KpuMKvXYw1MW ekRucGBBWunTftfvcV9M3xizWaCQI0T3BOIf82TkUJ6/rdI9jUHhO+1yX4fFwiiVe3Rc 6rRcDWeYHP7vDFcbjLNKdf7K6wjrv0CUBhQilr1clnpYhyi5TJLIq6vP5BgLO7pLvUNZ HkKtLfCZsWdlulMCkhtnjxbciwaeLOJcG9mTcBpIDYLY6hUWIbuDBGu7+gZaKEBoN+vo Hujw==
- In-reply-to: <CALYo-SFKyyg21MHe-m8qLqk9E4mLwOizTq4PDFi=eweuC0_xFg@mail.gmail.com>
- References: <CALYo-SFKyyg21MHe-m8qLqk9E4mLwOizTq4PDFi=eweuC0_xFg@mail.gmail.com>
Hi,
You can accomplish what you desire with the OpenLDAP meta backend and saslauthd.
Full instructions on this page.
https://ltb-project.org/documentation/general/sasl_delegation
-mike
On Fri, Nov 10, 2017 at 2:22 PM, Mārtiņš Mieriņš
<martins.mierins@gmail.com> wrote:
> Hi,
>
> I'm new to OpenLDAP, I've been reading documentation for some time but
> cannot figure out whether there is solution.
>
> We have many products in our company that are using sAMAccountName
> (from Active Directory server) as login credentials for authentication
> purpose. Now we have an additional requirement to support
> authentication of users from another Active Directory server. Since
> many products do not allow to specify more than one LDAP server the
> idea is to configure OpenLDAP proxy that will then forward requests to
> either AD servers. Nevertheless the format of login credentials has to
> stay the same.
> So the final goal is to be able to authenticate users of both AD
> directories via binding against OpenLDAP proxy using sAMAccountName
> (can add some other data in DN but it has to be static).
>
> 1. Can OpenLDAP be configured to accept sAMAccountName and domain as
> bind DN and then forward it to either AD servers depending on domain
> name?
> 2. If not, can OpenLDAP be configured to perform search (including
> filtering by sAMAccountName field) behind the scenes and then bind by
> using DN of a found user?-> all this happens when user tries to bind
> against OpenLDAP proxy
> 3. Any other solutions?
>
>
> BR,
> Martins
>