On Thu, 2017-01-19 at 20:59 +0000, Romain Esnault wrote:
> Hello,
>
> We have an Active Directory with windows accounts and we need to have these accounts in another 389 DS to expose to applications. We will have these accounts in both LDAP ; 389 DS in front and Active Directory in back
>
> We want that the password verification is done with the one stored into the Active Directory even if applications bind the 389 DS.
> With OpenLDAP, it's possible to use Pass-Through authentication configured to delegate the password verification on specifics LDAP accounts.
> --> http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication
>
> But the 389 DS documentation seems indicate that for Pass-Through authentication is possible only if accounts are not existing ...
>
> Is it possible with 389 DS to implement the Pass-Through authentication only to delegate password like openLDAP can do ?
>
> Thanks for your help
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
You could use pam pass through
http://directory.fedoraproject.org/docs/389ds/howto/howto-pam-pass-through.html
The way I read the PTA docs, it's a bit ambiguous. It could go either
way. I think it would be worth test / reading the code to be sure.
Hope that helps (sorry for late response
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
No comments:
Post a Comment