Active Directory/LDAP binding

I’ve successfully gotten Search Guard 2 to authenticate to one of our Active Directory DCs with a dedicated binding account. My ultimate goal, however, is to use a different Active Directory domain that won’t have a dedicated account for binding. Is it possible to use the username and password provided by the client to perform the bind?

This cluster is used in an academic setting, higher ed.

Thanks!

if the username is a DN then its possible (although we need to implement it).
A direct bind is only possible if the username is the DN, ist that true in your case?

···

Am 07.09.2016 um 17:00 schrieb Joseph Rafferty <joraff@gmail.com>:

I've successfully gotten Search Guard 2 to authenticate to one of our Active Directory DCs with a dedicated binding account. My ultimate goal, however, is to use a different Active Directory domain that won't have a dedicated account for binding. Is it possible to use the username and password provided by the client to perform the bind?

This cluster is used in an academic setting, higher ed.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80e8b610-e9e8-48df-9234-8ee5b2fafb8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No, but the DNs will all be identical except for the CN. I don't know if this will always be the case, however, and probably won't be common for other institutions.

For now I am using a lightweight authentication proxy that leverages our SAML infrastructure. If you think this is an edge case, I am happy using the proxy.

Thanks!

···

On Sep 19, 2016, 2:37 PM -0500, SG <info@search-guard.com>, wrote:

if the username is a DN then its possible (although we need to implement it).
A direct bind is only possible if the username is the DN, ist that true in your case?

> Am 07.09.2016 um 17:00 schrieb Joseph Rafferty <joraff@gmail.com>:
>
>
> I've successfully gotten Search Guard 2 to authenticate to one of our Active Directory DCs with a dedicated binding account. My ultimate goal, however, is to use a different Active Directory domain that won't have a dedicated account for binding. Is it possible to use the username and password provided by the client to perform the bind?
>
> This cluster is used in an academic setting, higher ed.
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80e8b610-e9e8-48df-9234-8ee5b2fafb8f%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/YJaBBtjaih4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/661557FA-089F-4F85-952D-F4D65FA3000A%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.