On Fri, Mar 31, 2017 at 12:47 PM, Howard Chu <h...@symas.com> wrote:
> Curtiss Howard wrote: > >> Hi, >> >> I've got two Active Directory servers that are being proxied through >> OpenLDAP >> and their respective trees are being merged into one. So far, so good. >> >> Now I want to allow users to bind to the OpenLDAP server and pass the >> authentication through to the appropriate AD and let it do the password >> checking. >> >> I see a lot of documentation on using SASL for passthrough, but where I'm >> stuck is that this requires every user to have an account in the OpenLDAP >> server in order to see if the userPassword attribute is specially >> formatted. >> In my case, this isn't really a palatable solution because I'm using the >> OpenLDAP server with the meta backend and using it as a "live view" into >> the >> data contained in the ADs. Other applications can talk directly to the >> ADs >> and in order to do the SASL approach there'd have to be some syncing from >> the >> ADs to the OpenLDAP server every time a user is created/deleted. >> >> I would think that surely there must be some way to pass through the >> authentication in a more obvious manner -- i.e., if the user doesn't exist >> locally, try to bind against each proxied server in succession. But I >> can't >> seem to find a way to do this, all references point to the SASL approach. >> >> Is there a way to do this? >> > > Just use slapo-pbind. > > Ah nice, this sounds more like it. However, I have two AD servers that I'm proxying -- is there a concept of using this overlay multiple times?
