In our Directory Server environment we have:
suffix: dc=fooinc,dc=com subtree: ou=people,dc=fooinc,dc=com users ou: cn=bla,ou=people,dc=fooinc,dc=com
We can use these users correctly for the usual bind attempts like
ldapsearch -D cn=bla,ou=people,dc=fooinc,dc=com -w password ...
Now we would like to have a second set of users for authenticated binds. But these users should have their passwords checked with Active Directory and not with Directory Server. For this we configured pass-through authentication as documented here:
To distinguish between authentication methods for different users we use the
pamfilter system. We defined a second tree with other users to accomplish this:
The issue is that whatever we set
pamfilter to all bind authentication attempts go straight to AD. We would like only the users within
cn=aduser,ou=peopleAD,dc=fooinc,dc=com to be authenticated against Active Directory.
- Red Hat Directory Server 8.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.