Combine AD and LDAP modules with different baseDN
Summary
I would like to be able to combine the AD
and LDAP
modules, the former for Auth
and PasswordDB
and the later for UserDB
, but with each one having a different baseDN
and LDAP structure:
- I have a Samba4 AD to manage the users and their password
- I have an OpenLDAP to manage non windows attributes (I don't want to extend the Samba schema), the password is delegated to Samba AD using SASL
I tried the following combined configuration:
-
AD
asAuth only
(this will detect themust change password
andexpired password
) -
LDAP
asUser DB only
to lookup extended attributes -
AD
asPasswordDB
After some discussions on the mailing-list, it appears that I can't combine the modules in my case since:
- LemoLDAP::NG lookup the user
DN
withUserDB
- LemoLDAP::NG try to authenticate this
DN
against the Samba active directory
This fails when both backends do not have the same structures.
Design proposition
When combining modules, each one should have it's own view
of the user canonical identifier, in the LDAP based case of AD
and LDAP
the user DN
.