On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister whm@stanford.edu wrote:
--On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass ait@p2ee.org wrote:
Hello,
[...]
One way to do this is to configure your OpenLDAP server to generate an accesslog. They you read the accesslog looking for any changes and apply the changes to your downstream datastore whatever it is. We do this using perl and Net::LDAPapi. I can provide an example if you are interested.
Hi Bill, thank you *very* much for your prompt reply. One question (actually 2) though before I ask for the trouble of providing an example.... do you get the clear text passwd on the accesslog? is the the log an LDIF format? It's not that I really need clear text, but I need to compute the corresponding password hashes for MS-AD. are you guys able to change the password fields as well? or are you just copying the hashes from one to the other? how does this work with the accesslog method?
Again many thanks because I really feel that this could be a practical KISS way of integrating this.
Thanks!!! Alex
Bill
--
Bill MacAllister Infrastructure Delivery Group, Stanford University
--On Wednesday, April 20, 2011 01:59:18 PM -0400 Alejandro Imass ait@p2ee.org wrote:
On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister whm@stanford.edu wrote:
--On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass ait@p2ee.org wrote:
Hello,
[...]
One way to do this is to configure your OpenLDAP server to generate an accesslog. They you read the accesslog looking for any changes and apply the changes to your downstream datastore whatever it is. We do this using perl and Net::LDAPapi. I can provide an example if you are interested.
Hi Bill, thank you *very* much for your prompt reply. One question (actually 2) though before I ask for the trouble of providing an example.... do you get the clear text passwd on the accesslog? is the the log an LDIF format? It's not that I really need clear text, but I need to compute the corresponding password hashes for MS-AD. are you guys able to change the password fields as well? or are you just copying the hashes from one to the other? how does this work with the accesslog method?
We don't store passwords in the directory. Central authentication at Stanford is provided by Kerberos.
You can think of the accesslog as just another backend database. You get information out of it by doing LDAP queries with your tool of choice. If you store passwords in the directory as hashes then when you query the accesslog the value that is returned will be the hash that is stored in the directory.
Bill
Again many thanks because I really feel that this could be a practical KISS way of integrating this.
Thanks!!! Alex
openldap-technical@openldap.org
-
Alejandro Imass -
Bill MacAllister