Active Directory Authentication with LDAP proxy
We have a services in a isolated network. These services need to authenticate users against the Active Directory server.
However the Active Directory server is not directly available so I have to setup a LDAP proxy in the isolated network. The LDAP proxy will then have access to the AD. Note that access must be read only and this proxy will have access to only one AD server.
- Is this possible/feasible?
- Is the term "proxy" the good term?
- Is A Microsoft AD server mandatory or OpenLDAP will do the job fine?
- I have few knowledge about AD/LDAP, how is the learning curve?
- A few hints where to begin?
Thanks.
Is this possible/feasible?
This is both feasible and common. If you search for something like openldap proxy active directory you'll find a number of useful results.
Is the term "proxy" the good term?
This is absolutely the correct term to use.
Is A Microsoft AD server mandatory or OpenLDAP will do the job fine?
If your clients are only expecting an LDAP server then OpenLDAP will be just fine, particularly if you'll only need read-only access.
I have few knowledge about AD/LDAP, how is the learning curve?
Without knowing your background that's a hard question to answer. I find that LDAP is fundamentally simple, but wrapping your head around access control in OpenLDAP can take a little work.
A few hints where to begin?
If all you need to do is making the AD server available within your local network, then a simple TCP proxy or appropriate iptables rules will be much simpler than a full-blown LDAP proxy. The downside of this is that you would need to perform any access control on the Active Directory side of things.
If you decide to go with OpenLDAP as a proxy:
Step by Step Installation and Configuration of OpenLDAP as Proxy to Active Directory seems to fit the bill from the title, but it's not very good as a guide.
The Samba documentation has some notes along these lines.
This article I wrote a few years ago is more than you want, but does have some configuration examples.
Active Directory Lightweight Directory Services seems like exactly what you need - but if you want to directly authenticate against AD, you could instead just do a TCP proxy back to your AD servers; HAProxy would be a good fit.