A page in your DokuWiki was added or changed. Here are the details:
Date : 2011/08/26 15:06
Browser : Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0
IP-Address : 213.41.232.151
Hostname : dslm0.nerim.lyon.linagora.net
Old Revision:
http://ltb-project.org/wiki/documentation/general/sasl_delegation?rev=1314362838
New Revision: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Edit Summary:
User : coudot
@@ -7,7 +7,33 @@
It should be distinguished from the external authentication methods, that are
managed by the LDAP client to authenticate on a trusted source and then connect
to the directory.
Pass-Trough authentication is purely transparent for LDAP clients, as they
send standard authentication operations to the LDAP directory, which will then
handle the delegation and forward the response to the client, as the
authentication was done locally.
- A real world use case is the coexistence between OpenLDAP and Active
Directory: on choice can be to let the password into AD, and configure a
pass-trough authentication between OpenLDAP and AD. With this setup,
authentications done on the OpenLDPA part will use the AD password.
+ A real world use case is the coexistence between OpenLDAP and Active
Directory: on choice can be to let the password into AD, and configure a
pass-trough authentication between OpenLDAP and AD. With this setup,
authentications done on the OpenLDAP part will use the AD password.
+ ===== Technical description =====
+ OpenLDAP is known to be able to use pass-trough authentication. This option
should be compiled into it. If not, get the source and use this option in the
configure step:
+
+ <code>
+ ./configure --enable-spasswd
+ </code>
+
+ This will allow you to store password with this syntax in userPassword
attribute:
+
+ <file>
+ userPassword: {SASL}user@domain
+ </file>
+
+ <note tip>This option is enabled in [[..:openldap-rpm|LDAP Tool Box OpenLDAP
RPMs]].</note>
+
+ You then need the saslauthd daemon, which is available on most Linux
distributions.
+
+ The pass-trough authentication will then work like this:
+ - A BIND operation is received by OpenLDAP with parameters DN1 and PWD1
+ - OpenLDAP get DN1 entry and read userPassword attribute
+ - DN1 password is a SASL password so OpenLDAP do an SASL authentication
with user@domain and PWD1 credentials
+ - SASL authentication daemon use the credentials to look for the user into
the backend (for example Active Directory) and gets the matching DN, DN2
+ - SASL do a BIND operation with DN2 and PWD1
+ - The backend manage the BIND and return response to SASL
+ - SASL return response to OpenLDAP (yes/no)
+ - OpenLDAP return response to the LDAP client
--
This mail was generated by DokuWiki at
http://ltb-project.org/wiki/
_______________________________________________
ltb-changes mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-changes
