Hi William, Maybe I didn't explain myself correctly...... I have no problem in make OpenLDAP work as a consolidation directory for a single Active Directory Forest, and having SASL doing the Passthrough authentication from OpenLdap to the AD Global catalogue......... What I don't know is how can I do it with multiple AD domain Controllers.
Let me give an example : User: Paulo.Correia Domain Controller : AD.cisco.com UPN : [email protected] User: William.Brown Domain Controller: AD. mit.edu UPN: [email protected] Now I want to have a single directory in Open LDAP that will have both of the user and will passthrought the authentication to the original AD's # Hernani Correia, Users, cisco.com dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Hernani Correia sn: Correia givenName: Hernani userPassword: {sasl}[email protected] userPrincipalName: [email protected] mail: [email protected] # Hernani Correia, Users, cisco.com dn: CN= William Brown,CN=Users,DC=consolidated,DC=com objectClass: top objectClass: person objectClass: organizationalPerson cn: William Brown sn: Brown givenName: William userPassword: {sasl}[email protected] userPrincipalName: [email protected] mail: [email protected] My problem is that in the /etc/saslauthd.conf I need to static define a single or multiple LDAP for the queries : ldap_servers: ldap://ad-cisco-1.cisco.com ldap_search_base: dc=cisco,dc=com ldap_timeout: 10 ldap_filter: sAMAccountName=%u ldap_bind_dn: cn=Administrator,cn=users,dc=cisco,dc=com ldap_password: Cisco,123 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind I need to bind based on the domain not a single bind in SASL. Can you help ? Paulo -----Original Message----- From: Indexer [mailto:[email protected]] Sent: Monday, November 15, 2010 11:44 AM To: Paulo Jorge N. Correia (paucorre) Cc: [email protected] Subject: Re: Pass-Through authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote: > Hi all, > > I'm just starting with openLDAP and saslauth, and I'm trying to > replicate what I can achieve with ADAM/AD LDS in Windows platform. > > > > I'm trying to use openldap to aggregate user information from several > AD servers under different forests. > > > > So single point of contact from an LDAP perspective for an > organization, and then openldap should pass-through the authentication > request that receives to the AD DC of the respective user. > > > > This works well with saslauthd for a single domain, but if I need to > do this with multiple domains, I don't know how to configure saslauthd. Windows, and AD utilise kerberos. Just treat your AD servers as KRB5 realms, and it works. both MIT and Hemidal can work with this, so following the passthrough instructions for these will work Alternatively, you can use AD as an ldap server, but it follows much the same principals. http://www.openldap.org/doc/admin24/security.html > > > > Can someone help ? > > > > Thank you, > > Paulo > William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJM4R0OAAoJEHF16AnLoz6JlK8QAK0YtQX1y6J/yH1dq36zyr0x p6gA7j6/pWwqzspUcC5srESejrx76Yn9wGOGku3epCu4QwcEtx9MOVPdhmBT9hCk wXUnvP+4ePpo2wAMvrrkv+K0FfNbAQVJt44zGzrGxRrfSVPqkU+B0nsFYCbxjUF0 NHS3p+XRftqnQNOnsH3aNgB5HDnA5romlq3ikdSyUQRIZpt+BD7ueu07BVG5qhFN 6L/rT8JfLI2X/Liw70LeZg1XifZDyOMXfbaj84Q6JeyObdQidPYXKev9Nlm5CDt/ qOh1ZYTPoUuz7oLRjjNEnHXXiSeGB3DeHxoY+wsgnNd9AnLPKHn4xxFz65DQAUva LtJxxFpVOE4uTCTx+Sl58v3qfn87CtxX/EdHw1th25E3L+zh3LCfVG9uRApbwYeI Sb7BH8N7varUnrm1ZoqSZ1EO31jrBNjfqOwXMs7jLJBLlEobPUuX3mk5TehgyrD8 0zLPbaVIzN5Dq/PTG7pT27D/9ABbqTGr0lpridxyDQSzPrBP4Pvx6EdmxqDbuY3n jDW7F3Xixxg0gPoi+/5A9XO7x0nf3TUnV4s9n3gFiRMAAQWs3gks7kgup/+1Rv7k NvDoA7D1j3oaxd2/o+moHRA9Ko7xY5NqJuyJVXRUdKFwiohxN+t1mlsqF4X3oFTv xGxKYpsUBdZMKHONbA7v =X3CH -----END PGP SIGNATURE-----
