On Thu, 2017-01-19 at 20:59 +0000, Romain Esnault wrote:

Hello,

We have an Active Directory with windows accounts and we need to have these accounts in another 389 DS to expose to applications. We will have these accounts in both LDAP ; 389 DS in front and Active Directory in back

We want that the password verification is done with the one stored into the Active Directory even if applications bind the 389 DS. With OpenLDAP, it's possible to use Pass-Through authentication configured to delegate the password verification on specifics LDAP accounts. --> http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication

But the 389 DS documentation seems indicate that for Pass-Through authentication is possible only if accounts are not existing ...

Is it possible with 389 DS to implement the Pass-Through authentication only to delegate password like openLDAP can do ?

Thanks for your help _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org

You could use pam pass through

http://directory.fedoraproject.org/docs/389ds/howto/howto-pam-pass-through.h...

The way I read the PTA docs, it's a bit ambiguous. It could go either way. I think it would be worth test / reading the code to be sure.

Hope that helps (sorry for late response