[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: capture password

To: Howard Chu <hyc@symas.com>
Subject: Re: capture password
From: Michael StrÃder <michael@stroeder.com>
Date: Fri, 04 Jul 2014 22:41:24 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <53B704B9.3040001@symas.com>
References: <CALjMr90Vgx2DGdxnMMEkACg60YpPg6y=m8+H84cQutvg6Akb7Q@mail.gmail.com> <CAK_oV480rVX1D+cR24t0g-MaDq51yeZTH3jBGhF71cCpQserZQ@mail.gmail.com> <53B6C875.806@symas.com> <53B6F932.1020807@stroeder.com> <53B704B9.3040001@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1

Howard Chu wrote:
> Michael StrÃder wrote:
>> Howard Chu wrote:
>>> ClÃment OUDOT wrote:
>>>> 2014-07-04 14:57 GMT+02:00 RogÃrio Augusto Rondini
>>>> <rarondini.paradygma@gmail.com <mailto:rarondini.paradygma@gmail.com>>:
>>>>
>>>>      Hi folks,
>>>>
>>>>      I need to implement password sync between AD and OpenLDAP using an IDM
>>>> tool.
>>>>
>>>>      I want to know how to capture clear text password in OpenLDAP before
>>>>      encryption so that I can sync with AD and potentially with others user
>>>>      repositories.
>>>
>>> There is also Microsoft's SSO plugin. Discussed it briefly here
>>> http://www.openldap.org/lists/openldap-devel/200811/msg00045.html
>>
>> Isn't that the other way round?
> 
> It's bidirectional, using PAM.

Anyway I would not waste my time with such a unmaintained code base.

>> The original poster wrote:
>> "I want to know how to capture clear text password in OpenLDAP"
>>
>> So pointing to e.g. slapo-smbk5pwd source would be the right, wouldn't it?
> 
> Eh. Maybe. It's trivial to update passwords on AD from OpenLDAP - just write
> an overlay to intercept changes to userPassword and pad the data to 16-bit
> characters and send to AD as a Modify request on UnicodePwd. Coming back the
> other direction is the harder part, which is where the Microsoft SSO plugin
> comes in.

Or better teach/force everybody to use a custom web application to change the
password with which you can do anything you need.

>>> It's been several years since I last looked at this. I just pulled down the
>>> Unix source code again today, it appears to only support IPv4 as it uses 32
>>> bit IP addresses when generating the session keys for its exchange.
>>
>> If you need AD->LDAP direction IIRC the Windows part of 389's DC password
>> interceptor is also open source.
> 
> Ah, hadn't seen that. Most M$ shops I've worked with won't install 3rd party
> plugins on their DCs though, which is why I've only paid attention to the M$
> plugin.

Yeah, most AD admins are very cautious with what's running on a DC (quite
understandable), hence the web service approach...

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- capture password
  - From: RogÃrio Augusto Rondini <rarondini.paradygma@gmail.com>
- Re: capture password
  - From: ClÃment OUDOT <clem.oudot@gmail.com>
- Re: capture password
  - From: Howard Chu <hyc@symas.com>
- Re: capture password
  - From: Michael StrÃder <michael@stroeder.com>
- Re: capture password
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: capture password
Next by Date: Re: capture password
Index(es):
- Chronological
- Thread