Re: [ApacheDS] Delegate Authentication to AD via SASL

Wed, 17 May 2023 00:37:49 -0700 

Hi,

On 17/05/2023 08:00, Brian Wolfe wrote:

While i'm not exactly an expert on ApacheDS, I work with other OpenDS based
Directories and Access products all the time. So let me give you some
general knowledge as there seems to be some confusion as how these
things work.. Afaik from what I have looked at in ApacheDS, it doesn't
support any type of LDAP proxy or mechanism to send bind credentials to
another LDAP server during the bind operation, 

Actually, ApacheDS support delegated Authentication.
It requires some specific configuration though:
- Declare the DelegatedAuthenticator as a valid Authenticator
- Set the delegated port (if it's not 389)


I think that by default, the authenticator is present in the 
configuration, but disabled:



dn: 
ads-authenticatorid=delegatingauthenticator,ou=authenticators,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config

ads-authenticatorid: delegatingauthenticator
objectclass: top
objectclass: ads-base
objectClass: ads-authenticator
objectClass: ads-authenticatorImpl

ads-authenticatorClass: 
org.apache.directory.server.core.authn.DelegatingAuthenticator

ads-baseDn:
ads-enabled: FALSE  <<----

It's enough to change ads-enabled from FALSE to TRUE to get it working.

The optional parameters you can set are:
ads-delegatePort: the remote LDAP server port
ads-delegateSsl: true if SSL is used
ads-delegateTls: true if TLS is used

ads-delegateTlsTrustManager: The TLS TrustManager to use (can be 
org.apache.directory.ldap.client.api.NoVerificationTrustManager if no 
certificate chek is to be done)
ads-delegateSslTrustManager: The SSL TrustManager to use (same tha upper 
for certificate validation)
ads-delegateBaseDn: The Base DN from which user will be checked against 
a remote LDAP server (it may be null, and if so, all the users may be 
subject to a remote authentication)


Hope it clarifies something that requires documentation...

--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org























					Reply via email to