So... I tried to achieve the objective with using the meta backend with two targets -- local and remote. Now -- how can I configure the server so the request is delegated to the remote server after it fails on the local?
By the way, I gave up my attempts to configure the server using slap.d, as there's simply not enough documentation to it and I don't need to deal with any additional pain at the moment. -----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Tuesday, November 11, 2014 4:28 PM To: Dan White; Šmucr Jan Cc: [email protected] Subject: Re: OpenLDAP Proxy for Active Directory Authentication (slapd.d) Dan White wrote: > On 11/11/14 09:50 +0000, Šmucr Jan wrote: >> User wants to authenticate --> Client (Gerrit 2.9.1) connects to the >> local OpenLDAP server --> The OpenLDAP server searches its local >> database for a relevant entry >> >> * Entry found --> Inform the client >> >> * Entry not found --> Delegate the request to the remote >> Active directory server >> >> o Entry found --> Inform the OpenLDAP server --> Inform the client >> >> o Entry not found --> Inform the OpenLDAP server --> Inform the client > >> [1] http://ltb-project.org/wiki/documentation/general/sasl_delegation > > To work with pass-through authentication, all users will need a valid > entry within your OpenLDAP tree. Those you wish to authenticate > against active directory will need a userPassword attribute of: > > userPassword: {SASL}user@domain Why do people keep trying to use "pass-through authentication" when the question clearly is about *proxying*. back-ldap and back-meta exist for proxying. This was just answered a few weeks ago. http://www.openldap.org/lists/openldap-technical/201410/msg00078.html The obvious solution here is a local database with back-meta in front of it. The back-meta instance can be pointed at both the remote AD server and the local server and will automatically search both DBs to find a user's account (when performing a search request) and then the following Bind request will just do the right thing. Use the right tool for the job. pass-through authentication is not the solution for a proxying task. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
