David Boreham wrote:
On 7/23/2010 1:35 PM, Howard Chu wrote:
passwordSync: What are you thinking here? DLL that recognizes password changes and creates apropriate hashes and syncs these into OpenLDAP, or
Yes. Bi-directionally, of course - it should also intercept LDAP passwordModify requests and forward them to AD.
Can the FDS/389 password sync client be used or are there license issues with it (I presume it'll be GPL like the rest of FDS) ? If you can use it, then some or perhaps all of the work on the Windows end can be avoided. It talks to the DS via LDAP, I think with some minimal extensions (it's been a long time since I looked at the code so I'm not 100% sure).
There's also code in FDS to send changes to AD via LDAP (including password changes). Whether or not that code would be useful I'm not sure. It'd certainly be useful as a reference for how to talk to AD successfully. Possibly there's similar code in other projects too. There are a few hoops you need to jump through in order to get password changes into AD successfully, iirc.
Right, you can make password changes by encoding the password in UTF-16 and modifying the AD "unicodePwd" attribute, assuming you have the cleartext of the password. If your schema matches, sending updates to AD in general is not a big deal.
The only part that requires custom work is the agent that receives password updates from an AD DC, since that uses a special process on the AD DC and a dedicated protocol of its own.