OpenLDAP with External LDAP Authentication



Hoping someone can help give some pointers.

My YunoHost server

Hardware: self-hosted VM on own hypervisor.
YunoHost version:
I have access to my server: via web access and SSH.
Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no.

Description of my issue

Looking to get Yunohost OpenLDAP server configured to authenticate against another LDAP server, in this first instance Active Directory. AFAICT there are three ways to achieve this:

  1. Normally I would configure something like SSSD and join the machine to AD but manually configuring this when Yunohost already has an OpenLDAP server seems like the wrong approach.

  2. Use SASL pass-through, which seems like the quick and easy solution.

  3. Proxy requests to AD so that Yunohost continues to authenticate users as normal but requests are proxied to AD.

So, option 1 would work if there was a way that Yunohost falls back to PAM authentication but I’m not sure that’s possible. This is the way Webmin works, for example. LDAP users can be mapped to local users but Yunohost ignores local users, and only looks at OpenLDAP AFAICT.

Options 2 and 3 are possible but require additional packages which I expect means they can be overwritten/borked by updates, or at least they have to be manually maintained.

What’s the best way to achieve this? I’ve seen that in /etc/ldap/ldap.conf you can add a URI to a external LDAP server but I see no way to set a bind user. I can run ldapsearch against the AD server providing admin credentials and everything works as expected.

Help appreciated.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.