There are several solutions to that: 1) Grant Everyone read permissions (this object and all child objects) to the domain object. The drawbacks are obvious: you are opening a HUGE security hole. You will definitely not want that in production.
2) Setup OpenLDAP and sync the needed attributes from AD. From what I can find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ), you will need to use top, account and simpleSecurityObject objectClasses. userPassword attribute can be a pointer to the user's Kerberos principal in AD Kerberos realm in the following form: userPassword: [EMAIL PROTECTED] In that way you can allow anonymous searches in OpenLDAP while exposing the bare minimum data and yet authenticate the users through LDAP. What happens in such a configuration is something like this: 1) OpenGroupware binds anonymously to OpenLDAP and performs the search for user object. 2) After the user object is found, OpenGroupware tries to bind as user to OpenLDAP (you should configure SSL/TLS if you do not want the passwords to travel in clear text) 3) OpenLDAP proxies the authentication request and passes it to AD's Kerberos. 4) AD's KDC verifies the user/password and returns OK to OpenLDAP. 5) OpenLDAP lets the user bind to OpenLDAP and user is authenticated. As you can figure it out, this approach greatly depends on the size of your AD (I have tested this at a small size network when implementing single sign-on for Linux clients. Have no idea how it will behave, if at all, with larger than single site implementation. Have a look at the following link for a HOWTO I used: http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html Again, I have not tested it with OG and the mentioned above objectClasses (I needed top, person and posixAccount), but I guess this should work the same. Guy On Tue, 2004-05-18 at 17:17, Aitzol Naberan BurgaÃa wrote: > It's not so easy rewrite the source code, I will need spend a lot of > time to understand the source and to change it. But I think that I > have to do it, and change the bind method (I think it will work...). > > OpenGroupware is for unix systems, you can learn more in > www.opengroupware.org > > Thanks > -- > Aitzol Naberan BurgaÃa > CodeSyntax > [EMAIL PROTECTED] > www.codesyntax.com > Tel: 943 82 17 80 > > > joe(e)k dio: > > Ah. Interesting, so it sounds like they want to compare the hashes > > instead of actually use the authentication of the system. Well since > > it is OpenSource, that should be easy to rewrite and correct huh. > > :o) > > > > You can open up the anonymous search but if they need to see the > > password, you are dead in the water right there. You either can't > > use AD, can't use that product, or you need to modify the > > authentication routines. > > > > I have never heard of that product, is it *nix only or do they have > > Win32 ports? > > > > joe > > > > > > > > ____________________________________________________________________ > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol > > Naberan BurgaÃa > > Sent: Tuesday, May 18, 2004 9:21 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] Anonymous bind > > > > > > I'm trying to authentificate OpenGroupware (open source groupware > > suite) against Active Directory. The problem is that OpenGroupware's > > authentification method is a litle bit curious: It tries to do an > > anonymous bind to the ldap server before it will try to bind as the > > user name supplied at the login prompt. Active Directory will allow > > an anonymous bind, so that part is successful, but it does not allow > > an anonymous search. I'm not sure where authentification fails, > > because I have read thet OpenGroupware search a password and when > > doesn't find it fails. > > > > -- > > Aitzol Naberan BurgaÃa > > CodeSyntax > > [EMAIL PROTECTED] > > www.codesyntax.com > > Tel: 943 82 17 80 > > > > > > joe(e)k dio: > > > Correct. > > > > > > Aitzol, what problem are you trying to solve? > > > > > > joe > > > > > > __________________________________________________________________ > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > > > Westmoreland > > > Sent: Tuesday, May 18, 2004 8:41 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] Anonymous bind > > > > > > > > > I know that the unicodePwd attributes can never be read by way of > > > ldap, you will probably find that this is true for userPassword > > > also. > > > > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190 > > > > > > > > > On May 18, 2004, at 6:29 AM, Aitzol Naberan BurgaÃa wrote: > > > > > > Hi all > > > > > > How can I grant "read" access to userPasswor attribute? > > > > > > > > > Thanks > > > > > > -- > > > Aitzol Naberan BurgaÃa > > > CodeSyntax > > > [EMAIL PROTECTED] > > > www.codesyntax.com > > > Tel: 943 82 17 80 > > > > > > List info : http://www.activedir.org/mail_list.htm List > > > FAQ : http://www.activedir.org/list_faq.htm List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : > > http://www.activedir.org/list_faq.htm List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : > http://www.activedir.org/list_faq.htm List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
