On Thu, 2017-01-19 at 20:59 +0000, Romain Esnault wrote: > Hello, > > We have an Active Directory with windows accounts and we need to have these accounts in another 389 DS to expose to applications. We will have these accounts in both LDAP ; 389 DS in front and Active Directory in back > > We want that the password verification is done with the one stored into the Active Directory even if applications bind the 389 DS. > With OpenLDAP, it's possible to use Pass-Through authentication configured to delegate the password verification on specifics LDAP accounts. > --> http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication > > But the 389 DS documentation seems indicate that for Pass-Through authentication is possible only if accounts are not existing ... > > Is it possible with 389 DS to implement the Pass-Through authentication only to delegate password like openLDAP can do ? > > Thanks for your help > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx You could use pam pass through http://directory.fedoraproject.org/docs/389ds/howto/howto-pam-pass-through.html The way I read the PTA docs, it's a bit ambiguous. It could go either way. I think it would be worth test / reading the code to be sure. Hope that helps (sorry for late response -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
