OpenLDAP to proxy for AD FS

Question

I have AD FS setup in EC2 and its working fine (w.r.t the basic test I did below) (domain names are test ones and not real)

Is there a way for OpenLDAP (or anything else) to behave like a proxy to speak with ADFS? Some of the Services dont have the ability to connect with ADFS (in open source version eg. https://grafana.com/docs/grafana/latest/auth/saml/)

Also ADFS is unavailable at dev, test environments (that only have Linux) and there is no ADFS that is available OpenSource that I could use.

So I was think to if we could use LDAP as proxy. any thoughts?

Like App1 speaks to Server1:LDAP which in turn speaks to Server2:ADFS, such that App1 need not be compatible with ADFS

---

I did find some samples to connect with AD,

• https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
• https://doc.owncloud.com/server/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html#configure-the-server

BUT my LDAP Bind fails, hinting that ADFS does not work with LDAP Query

ldapsearch \
    -x -H ldap://HOST_IP \
    -b dc=sometest,dc=com \
    -D "cn=sometest_user,dc=sometest,dc=com" \
    -w SECRET

ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

---

Update: Keycloak is the way to go (IF you dont have ADFS at dev/test environment). Obscures out the ADFS layer from code. (still testing out keycloak)

Answer 1

LDAP is a protocol used to access LDAP's e.g. AD.

It is not federation which is something ADFS requires.

ADFS works with:

• WS-Federation
• OpenID Connect
• SAML

So LDAP cannot replace ADFS.

However, ADFS can use LDAP for authentication.

If you want an open-source ADFS replacement, you could have a look at EmbeddedSTS as long as you are happy using WS Fed.