On 8/19/19 10:39 AM, [email protected] wrote: > Ultimately I want some UNIX machines using pam-ldap to authenticate against > an Active Directory ("AD").
Hint: Don't use the ancient pam_ldap. > Logins to those machines require a number of attributes but I don't > have authority/ability to store them in the AD. They are stored in > an external (non-OpenLDAP !) server "S" instead. As the AD passwords > cannot be read/replicated, I also cannot simply direct clients to S, That's exactly the use-case for overlay slapo-translucent used in a proxy backend along with back-mdb for storing local data: https://www.openldap.org/software/man.cgi?query=slapo-translucent With this you can point your clients to S. There are other variants to this use-case, e.g. proxying only the bind requests sent to S to AD (pass-through authc) and retrieving all data from S. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
