Re: Simple LDAP to LDAP Integration

[Bill MacAllister <whm@stanford.edu>]

--On Wednesday, April 20, 2011 01:59:18 PM -0400 Alejandro Imass <ait@p2ee.org> wrote:

> On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister <whm@stanford.edu> wrote:
> > --On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass
> > <ait@p2ee.org> wrote:
> >
> > > Hello,
> [...]
>
> > One way to do this is to configure your OpenLDAP server to generate an
> > accesslog. ÂThey you read the accesslog looking for any changes and
> > apply the changes to your downstream datastore whatever it is. ÂWe do
> > this using perl and Net::LDAPapi. ÂI can provide an example if you are
> > interested.
>
> Hi Bill, thank you *very* much for your prompt reply.
> One question (actually 2) though before I ask for the trouble of
> providing an example.... do you get the clear text passwd on the
> accesslog? is the the log an LDIF format? It's not that I really need
> clear text, but I need to compute the corresponding password hashes
> for MS-AD. are you guys able to change the password fields as well? or
> are you just copying the hashes from one to the other? how does this
> work with the accesslog method?

We don't store passwords in the directory.  Central authentication at
Stanford is provided by Kerberos.

You can think of the accesslog as just another backend database.  You
get information out of it by doing LDAP queries with your tool of
choice.  If you store passwords in the directory as hashes then when
you query the accesslog the value that is returned will be the hash
that is stored in the directory.

Bill

> Again many thanks because I really feel that this could be a practical
> KISS way of integrating this.
>
> Thanks!!!
> Alex


--

Bill MacAllister
Infrastructure Delivery Group, Stanford University