--On Wednesday, April 20, 2011 01:59:18 PM -0400 Alejandro Imass <ait(a)p2ee.org>
On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister
> --On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass
> <ait(a)p2ee.org> wrote:
> One way to do this is to configure your OpenLDAP server to generate an
> accesslog. They you read the accesslog looking for any changes and
> apply the changes to your downstream datastore whatever it is. We do
> this using perl and Net::LDAPapi. I can provide an example if you are
Hi Bill, thank you *very* much for your prompt reply.
One question (actually 2) though before I ask for the trouble of
providing an example.... do you get the clear text passwd on the
accesslog? is the the log an LDIF format? It's not that I really need
clear text, but I need to compute the corresponding password hashes
for MS-AD. are you guys able to change the password fields as well? or
are you just copying the hashes from one to the other? how does this
work with the accesslog method?
We don't store passwords in the directory. Central authentication at
Stanford is provided by Kerberos.
You can think of the accesslog as just another backend database. You
get information out of it by doing LDAP queries with your tool of
choice. If you store passwords in the directory as hashes then when
you query the accesslog the value that is returned will be the hash
that is stored in the directory.
Again many thanks because I really feel that this could be a
KISS way of integrating this.
Infrastructure Delivery Group, Stanford University