GitLab

Summary

I would like to be able to combine the AD and LDAP modules, the former for Auth and PasswordDB and the later for UserDB, but with each one having a different baseDN and LDAP structure:

• I have a Samba4 AD to manage the users and their password
• I have an OpenLDAP to manage non windows attributes (I don't want to extend the Samba schema), the password is delegated to Samba AD using SASL

I tried the following combined configuration:

• AD as Auth only (this will detect the must change password and expired password)
• LDAP as User DB only to lookup extended attributes
• AD as PasswordDB

After some discussions on the mailing-list, it appears that I can't combine the modules in my case since:

1. LemoLDAP::NG lookup the user DN with UserDB
2. LemoLDAP::NG try to authenticate this DN against the Samba active directory

This fails when both backends do not have the same structures.

Design proposition

When combining modules, each one should have it's own view of the user canonical identifier, in the LDAP based case of AD and LDAP the user DN.