[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: capture password



Michael StrÃder wrote:
Howard Chu wrote:
ClÃment OUDOT wrote:
2014-07-04 14:57 GMT+02:00 RogÃrio Augusto Rondini
<rarondini.paradygma@gmail.com <mailto:rarondini.paradygma@gmail.com>>:

     Hi folks,

     I need to implement password sync between AD and OpenLDAP using an IDM
tool.

     I want to know how to capture clear text password in OpenLDAP before
     encryption so that I can sync with AD and potentially with others user
     repositories.

There is also Microsoft's SSO plugin. Discussed it briefly here
http://www.openldap.org/lists/openldap-devel/200811/msg00045.html

Isn't that the other way round?

It's bidirectional, using PAM.

The original poster wrote:
"I want to know how to capture clear text password in OpenLDAP"

So pointing to e.g. slapo-smbk5pwd source would be the right, wouldn't it?

Eh. Maybe. It's trivial to update passwords on AD from OpenLDAP - just write an overlay to intercept changes to userPassword and pad the data to 16-bit characters and send to AD as a Modify request on UnicodePwd. Coming back the other direction is the harder part, which is where the Microsoft SSO plugin comes in.

It's been several years since I last looked at this. I just pulled down the
Unix source code again today, it appears to only support IPv4 as it uses 32
bit IP addresses when generating the session keys for its exchange.

If you need AD->LDAP direction IIRC the Windows part of 389's DC password
interceptor is also open source.

Ah, hadn't seen that. Most M$ shops I've worked with won't install 3rd party plugins on their DCs though, which is why I've only paid attention to the M$ plugin.

Ciao, Michael.



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/