[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Active Directory passwords on OpenLdap
you cannot get the AD password, but you can set it. You must use an ssl
connection..
some quick excerpt from my process where I generate random passwords
and cram them into AD... because I don't want them to use AD
passwords... they are using the altSecurityIdentity to authenticate to a
different kerb realm..
btw this is totally not related to OpenLdap at this point.. but I
thought I would share.
##Code Sample
use Net::LDAP;
use Net::LDAP::Entry;
use Net::LDAPS;
use MIME::Base64;
use Crypt::RandPasswd;
$BASE = "ou=people,dc=example,dc=com";
$BINDDN = "cn=perlupdate";
$pass = "secret";
$ldap = new Net::LDAPS('adserver.example.com',
port => '636',
verify => 'require',
sslversion => 'sslv3',
cafile => '/path/to/adserver.cer') or die "$@";
$ldap->bind("$BINDDN,$BASE", password => $pass);
$entry = Net::LDAP::Entry->new;
$entry->dn("cn=$USERNAME,ou=people,dc=example,dc=com");
$entry->add... # lots of these to fill out all attributes for an ad
user.
# ... and if you don't know what attributes are required,
# ... generate an account with the wizard and then export it..
# ...
my $mesg = $entry->update($ldap); # the user must be created before
setting the password.
# ...
$psswd = Crypt::RandPasswd->chars(8,14);
$encoded = pack "v*", unpack "C*", qq("$psswd");
my $result = $ldap->modify("cn=$USERNAME,ou=people,dc=example,dc=com",
replace => {unicodePwd => $encoded} );
$ldap->unbind;
#end Code Block
Jonathan Higgins
IT R&D Project Manager
Kennesaw State University
jhiggins@kennesaw.edu
>>> "Thomas Vincent" <tvincent@2wire.com> 8/6/2004 9:59:57 AM >>>
You basically can pull any attribute out of AD but the password. You
need to buy a commercial product to do that. RIght now I am syncing
accounts between AD and OpenLDAP using everything but the password.
Cheers,
Tom
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org on behalf of Rafa
Sent: Fri 8/6/2004 2:55 AM
To: openldap-software@OpenLDAP.org
Subject: Active Directory passwords on OpenLdap
Hello everyone.
I'm making a data loading program. It manages several sources and
integrates them into an OpenLdap structure. A part of this structure
stores users information for other programs, and a field of that
information is the user password. The data source of this password is
an Active Directory service. The idea is that users use this OpenLdap
to
log in instead of AD.
My question is, can I read and write directly from AD to OpenLdap or do
I have to do some intermediate treatment? perhaps, for example,
password
encodings are different and I have to decode and recode.
Thanks
Rafa.