Le 26/01/2017 à 18:11, Soisik Froger a écrit :
Hi Benoit,
I had a similar usecase before; It is definitely no good to store
password in clear, and I would try and think about something a bit
simpler than I/O encryption.
Have you considered to make openLdap delegates authorization service
to AD for these users ? I've done that with cyrus-sasl, works great,
passwords are never known to openLdap, it just send an
authentification request to another directory for some users (not all)
when he receives one. See http://www.openldap.org/doc/admin24/sasl.html
The main benefit is that the passwords would be stored and managed
only in AD (which is usually the master), so there will be no need to
duplicate it in two places which is often a big pain to handle.
Indeed this also a good solution.
You can find a tutorial here:
http://ltb-project.org/documentation/general/sasl_delegation
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
