Am 28.05.2014 13:00, schrieb Howard Chu: > Mattias Segerdahl wrote: >> Hello, >> >> I was wondering if it is possible to configure OpenLDAP 2.4 to only >> check the >> password validation with Active Directory and have the rest of the user >> attributes, such as mail, loginShell, homeDirectory, etc. come from >> OpenLDAP? >> Any pointers, guides, howto’s or even “let me google that for you” >> are highly >> appreciated. > > Several ways to do that. Use the adauth overlay, or the remoteauth > overlay, or the pbind overlay, for example. Another possibility is to do it with SASL Pass-Through (see 14.5. of http://www.openldap.org/doc/admin24/security.html).
Quite simple, but beware: make sure that the sasl deamon is configured to use ldaps when connecting to AD since the clear text password is transmitted. > > Overall it's a bad idea, Active Directory authentication is thousands > of times slower than OpenLDAP authentication. You can very easily > overload the AD server on an active network. This of course is correct. Only do it, if you don't expect heavy load! Cheers, Peter -- Peter Gietz, CEO DAASI International GmbH Europaplatz 3 D-72072 Tübingen Germany phone: +49 7071 407109-0 fax: +49 7071 407109-9 email: [email protected] web: www.daasi.de Sitz der Gesellschaft: Tübingen Registergericht: Amtsgericht Stuttgart, HRB 382175 Geschäftsleitung: Peter Gietz
