Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 329
    • Issues 329
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2435

Closed
Open
Created Jan 08, 2021 by DaD@dad

Combine AD and LDAP modules with different baseDN

Summary

I would like to be able to combine the AD and LDAP modules, the former for Auth and PasswordDB and the later for UserDB, but with each one having a different baseDN and LDAP structure:

  • I have a Samba4 AD to manage the users and their password
  • I have an OpenLDAP to manage non windows attributes (I don't want to extend the Samba schema), the password is delegated to Samba AD using SASL

I tried the following combined configuration:

  • AD as Auth only (this will detect the must change password and expired password)
  • LDAP as User DB only to lookup extended attributes
  • AD as PasswordDB

After some discussions on the mailing-list, it appears that I can't combine the modules in my case since:

  1. LemoLDAP::NG lookup the user DN with UserDB
  2. LemoLDAP::NG try to authenticate this DN against the Samba active directory

This fails when both backends do not have the same structures.

Design proposition

When combining modules, each one should have it's own view of the user canonical identifier, in the LDAP based case of AD and LDAP the user DN.

Assignee
Assign to
Time tracking