I have AD FS setup in EC2 and its working fine (w.r.t the basic test I did below) (domain names are test ones and not real)
Is there a way for OpenLDAP (or anything else) to behave like a proxy to speak with ADFS? Some of the Services dont have the ability to connect with ADFS (in open source version eg. https://grafana.com/docs/grafana/latest/auth/saml/)
Also ADFS is unavailable at dev, test environments (that only have Linux) and there is no ADFS that is available OpenSource that I could use.
So I was think to if we could use LDAP as proxy. any thoughts?
Like App1 speaks to Server1:LDAP which in turn speaks to Server2:ADFS, such that App1 need not be compatible with ADFS
I did find some samples to connect with AD,
- https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
- https://doc.owncloud.com/server/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html#configure-the-server
BUT my LDAP Bind fails, hinting that ADFS does not work with LDAP Query
ldapsearch \
-x -H ldap://HOST_IP \
-b dc=sometest,dc=com \
-D "cn=sometest_user,dc=sometest,dc=com" \
-w SECRET
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
Update: Keycloak is the way to go (IF you dont have ADFS at dev/test environment). Obscures out the ADFS layer from code. (still testing out keycloak)
