[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP / Active directory cohabitation

To: Alexandre Rosenberg <arekkusu@r42.ch>
Subject: Re: OpenLDAP / Active directory cohabitation
From: Dan White <dwhite@cafedemocracy.org>
Date: Mon, 29 May 2017 12:00:09 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4b67a236-d021-4995-4dda-41c65d1a7fc6@r42.ch>
References: <4b67a236-d021-4995-4dda-41c65d1a7fc6@r42.ch>
User-agent: NeoMutt/20170113 (1.7.2)

On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:

I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have usergroup, unix group (...)

This means that if perform a BIND and a search, the BIND should beperformed against the AD but the search result should from OpenLDAP.(anonymous search is fine)

The short username are used in in OpenLDAP like this:

	uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD,only the "DN" is simply set to the username.
	john.smith@example.com


Pass-through authentication should work if you're performing simple binds.
Chapter 14 of the admin guide has a good example.

If you're doing sasl binds, use gssapi to authenticate against the AD
server directly.

--
Dan White

Follow-Ups:
- Re: OpenLDAP / Active directory cohabitation
  - From: Clément OUDOT <clem.oudot@gmail.com>

References:
- OpenLDAP / Active directory cohabitation
  - From: Alexandre Rosenberg <arekkusu@r42.ch>

Prev by Date: Re: OpenLDAP / Active directory cohabitation
Next by Date: Re: OpenLDAP / Active directory cohabitation
Index(es):
- Chronological
- Thread