I'm trying to work on a password sync scheme between OpenLDAP and some systems that use flat Unix passwd/shadow files. I have been able to update the LDAP server when someone changes their password on the standalone Unix systems, but I'm having problems trying to get any kind of notification from the LDAP server if someone from a system using the LDAP directory changes their password.
So far, I'm looking at searching the LDAP directory every few minutes for any entries that have had their modifyTimestamp attribute change since the last time the search ran, then checking to see if the userPassword attribute in the LDAP directory is different then the shadow file on the Unix system. This seems like a real stupid scheme, especially when passwords are changed infrequently. I just don't want a long delay between syncing the directory and flat files in case someone changes their password on an LDAP client, then tries to log into the flat file system.
Ideally, there could be some option in OpenLDAP that could call an external program when some attribute(s) have changed. That program could then perform the necessary searches and update the flat files if appropriate. So far, I've found nothing indicating that this is possible so I figured I'd ask and see if anyone else has tried this and what they found. Thanks! Tom Leach leach@coas.oregonstate.edu
Tom Leach wrote:
I'm trying to work on a password sync scheme between OpenLDAP and some systems that use flat Unix passwd/shadow files. I have been able to update the LDAP server when someone changes their password on the standalone Unix systems, but I'm having problems trying to get any kind of notification from the LDAP server if someone from a system using the LDAP directory changes their password.
So far, I'm looking at searching the LDAP directory every few minutes for any entries that have had their modifyTimestamp attribute change since the last time the search ran, then checking to see if the userPassword attribute in the LDAP directory is different then the shadow file on the Unix system. This seems like a real stupid scheme, especially when passwords are changed infrequently. I just don't want a long delay between syncing the directory and flat files in case someone changes their password on an LDAP client, then tries to log into the flat file system.
Ideally, there could be some option in OpenLDAP that could call an external program when some attribute(s) have changed. That program could then perform the necessary searches and update the flat files if appropriate. So far, I've found nothing indicating that this is possible so I figured I'd ask and see if anyone else has tried this and what they found. Thanks! Tom Leach leach@coas.oregonstate.edu
In the old Symas Connexitor EMS product we simply put a slapd on top of /etc/passwd, /etc/shadow, and /etc/group (that is, these flat files provide the backing store for the database that this slapd exposes) and then replicate account updates to it from a central master. You could accomplish much the same thing today using a client reading an accesslog DB.
Hi,
On 18/08/2010 23:24, Tom Leach wrote:
I'm trying to work on a password sync scheme between OpenLDAP and some systems that use flat Unix passwd/shadow files. I have been able to update the LDAP server when someone changes their password on the standalone Unix systems, but I'm having problems trying to get any kind of notification from the LDAP server if someone from a system using the LDAP directory changes their password.
I assume you have considered setting up PAM/NSS-ldap on these machines instead of rewriting the flat files?
So far, I'm looking at searching the LDAP directory every few minutes for any entries that have had their modifyTimestamp attribute change since the last time the search ran, then checking to see if the userPassword attribute in the LDAP directory is different then the shadow file on the Unix system. This seems like a real stupid scheme, especially when passwords are changed infrequently. I just don't want a long delay between syncing the directory and flat files in case someone changes their password on an LDAP client, then tries to log into the flat file system.
Ideally, there could be some option in OpenLDAP that could call an external program when some attribute(s) have changed. That program could then perform the necessary searches and update the flat files if appropriate. So far, I've found nothing indicating that this is possible so I figured I'd ask and see if anyone else has tried this and what they found. Thanks!
Another approach would be to use syncrepl. Performing a search on the attribute you're interested in, and using syncrepl's cookie mechanism to be notified of changes over a persistent search, or detect changes when connecting again would allow you to get this information in your client program.
Syncrepl-enabled LDAP libraries are available in several languages now (including, IIRC Python and Java).
Take a look at some of these resources to read more about syncrepl:
http://www.openldap.org/doc/admin24/replication.html#LDAP%20Sync%20Replicati...
http://blog.normation.com/2010/07/18/java-ldap-sdk-for-syncrepl-replication-...
Hope this helps, Jonathan
openldap-technical@openldap.org
-
Howard Chu -
Jonathan Clarke -
Tom Leach