[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Active Directory Password Cache

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: Active Directory Password Cache
From: Sebastian Hetze <s.hetze@linux-ag.de>
Date: Tue, 7 Aug 2007 10:23:26 +0200
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <200708070850.38120.bgmilne@staff.telkomsa.net>
References: <20070806113427.GB4012@ovid.bln.linux-ag.de> <200708070850.38120.bgmilne@staff.telkomsa.net>
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Aug 07, 2007 at 08:50:37AM +0200, Buchan Milne wrote:
> 
> Would it not be better to just use the smbk5pwd overlay as well ?
> 

smbk5pwd hooks into the PasswordModify extended operation while adpwc
hooks into bind. So both address different situations.

> 
> Would it be possible to apply password expiry (using the local password policy 
> via ppolicy) as well ?
> 

Since adpwc does not perform pwdModify exop, I expect ppolicy to fail at
least some of its features.

> 
> Would it not be possible to use a non-default realm ?
> 

The overlay uses the krb(5)PrincipalName as given in the user object.
If it includes a realm, that is used.

> 
> Finally, would it be possible to provide any information on what is required 
> on the AD side for this to work (I assume some account for the OpenLDAP 
> server to use)?
> 

The current design intentionally has absolutely no requirements on the AD side.
The overlay does no server authentication. 

Regards,

  Sebastian

References:
- Active Directory Password Cache
  - From: Sebastian Hetze <s.hetze@linux-ag.de>
- Re: Active Directory Password Cache
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Active Directory Password Cache
Next by Date: RE: Deleting subtree - server side
Index(es):
- Chronological
- Thread