Re: (ITS#5856) adauth overlay contribution

[andrew.findlay@skills-1st.co.uk]

On Fri, Dec 12, 2008 at 07:31:47PM +0000, kartik_subbarao@hp.com wrote:

> As discussed with Howard Chu, HP is contributing the code for an Active
> Directory Authentication overlay (written by Neil Dunbar) to OpenLDAP.
> 
> The adauth overlay provides passthrough authentication to Active Directory for
> LDAP simple bind operations. The local LDAP entry referenced in the bind
> operation is mapped to its counterpart in the Active Directory, an LDAP bind
> operation is performed against Active Directory, and results are returned based
> on the results of that remote operation. If a local userPassword attribute is
> populated for the entry, it is used instead of the AD authentication.

This is very good news, as it deals with a common requirement without
having to configure saslauthd.

One suggestion following a very quick scan of the code: I think it
would be worth bringing the warning about turning off TLS checks
into the manual page.

It is worth noting that this overlay raises issues similar to those
raised by the contributed adpwc/extpwc module - see ITS#5042. In this
case the access to AD is via LDAP rather than Kerberos, but most of
the arguments are similar. In particular, there is no reason for this
to be AD-specific and it should be easy to adapt it to authenticate
against any [collection of] remote LDAP servers.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------