[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP / Active directory cohabitation



On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)

This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)

The short username are used in in OpenLDAP like this:

	uid=john01,ou=People,dc=example,dc=com

While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.

	john.smith@example.com

Pass-through authentication should work if you're performing simple binds.
Chapter 14 of the admin guide has a good example.

If you're doing sasl binds, use gssapi to authenticate against the AD
server directly.

--
Dan White