Hi folks,
I need to implement password sync between AD and OpenLDAP using an IDM tool.
I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
Kind Regards, Rogério Rondini
2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini < rarondini.paradygma@gmail.com>:
Hi folks,
I need to implement password sync between AD and OpenLDAP using an IDM tool.
I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
Hi,
we have the same need with LSC (http://lsc-project.org) but the only way for now is to store a symmetric crypt password in a separate field, and decrypt it on the fly when doing synchronization to other directories.
See http://lsc-project.org/wiki/documentation/howto/activedirectory#password_syn...
Clément.
Clément OUDOT wrote:
2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini <rarondini.paradygma@gmail.com mailto:rarondini.paradygma@gmail.com>:
Hi folks, I need to implement password sync between AD and OpenLDAP using an IDM tool. I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
There is also Microsoft's SSO plugin. Discussed it briefly here http://www.openldap.org/lists/openldap-devel/200811/msg00045.html
It's been several years since I last looked at this. I just pulled down the Unix source code again today, it appears to only support IPv4 as it uses 32 bit IP addresses when generating the session keys for its exchange. The source archive I downloaded from Microsoft has datestamps from 2009 in it, I don't know if there's anything newer. This would be a decent alternative if they had updated it to support IPv6.
Hi,
we have the same need with LSC (http://lsc-project.org) but the only way for now is to store a symmetric crypt password in a separate field, and decrypt it on the fly when doing synchronization to other directories.
See http://lsc-project.org/wiki/documentation/howto/activedirectory#password_syn...
Clément.
Howard Chu wrote:
Clément OUDOT wrote:
2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini <rarondini.paradygma@gmail.com mailto:rarondini.paradygma@gmail.com>:
Hi folks, I need to implement password sync between AD and OpenLDAP using an IDM
tool.
I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
There is also Microsoft's SSO plugin. Discussed it briefly here http://www.openldap.org/lists/openldap-devel/200811/msg00045.html
Isn't that the other way round?
The original poster wrote: "I want to know how to capture clear text password in OpenLDAP"
So pointing to e.g. slapo-smbk5pwd source would be the right, wouldn't it?
It's been several years since I last looked at this. I just pulled down the Unix source code again today, it appears to only support IPv4 as it uses 32 bit IP addresses when generating the session keys for its exchange.
If you need AD->LDAP direction IIRC the Windows part of 389's DC password interceptor is also open source.
Ciao, Michael.
Michael Ströder wrote:
Howard Chu wrote:
Clément OUDOT wrote:
2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini <rarondini.paradygma@gmail.com mailto:rarondini.paradygma@gmail.com>:
Hi folks, I need to implement password sync between AD and OpenLDAP using an IDM
tool.
I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
There is also Microsoft's SSO plugin. Discussed it briefly here http://www.openldap.org/lists/openldap-devel/200811/msg00045.html
Isn't that the other way round?
It's bidirectional, using PAM.
The original poster wrote: "I want to know how to capture clear text password in OpenLDAP"
So pointing to e.g. slapo-smbk5pwd source would be the right, wouldn't it?
Eh. Maybe. It's trivial to update passwords on AD from OpenLDAP - just write an overlay to intercept changes to userPassword and pad the data to 16-bit characters and send to AD as a Modify request on UnicodePwd. Coming back the other direction is the harder part, which is where the Microsoft SSO plugin comes in.
It's been several years since I last looked at this. I just pulled down the Unix source code again today, it appears to only support IPv4 as it uses 32 bit IP addresses when generating the session keys for its exchange.
If you need AD->LDAP direction IIRC the Windows part of 389's DC password interceptor is also open source.
Ah, hadn't seen that. Most M$ shops I've worked with won't install 3rd party plugins on their DCs though, which is why I've only paid attention to the M$ plugin.
Ciao, Michael.
Howard Chu wrote:
Michael Ströder wrote:
Howard Chu wrote:
Clément OUDOT wrote:
2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini <rarondini.paradygma@gmail.com mailto:rarondini.paradygma@gmail.com>:
Hi folks, I need to implement password sync between AD and OpenLDAP using an IDM
tool.
I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
There is also Microsoft's SSO plugin. Discussed it briefly here http://www.openldap.org/lists/openldap-devel/200811/msg00045.html
Isn't that the other way round?
It's bidirectional, using PAM.
Anyway I would not waste my time with such a unmaintained code base.
The original poster wrote: "I want to know how to capture clear text password in OpenLDAP"
So pointing to e.g. slapo-smbk5pwd source would be the right, wouldn't it?
Eh. Maybe. It's trivial to update passwords on AD from OpenLDAP - just write an overlay to intercept changes to userPassword and pad the data to 16-bit characters and send to AD as a Modify request on UnicodePwd. Coming back the other direction is the harder part, which is where the Microsoft SSO plugin comes in.
Or better teach/force everybody to use a custom web application to change the password with which you can do anything you need.
It's been several years since I last looked at this. I just pulled down the Unix source code again today, it appears to only support IPv4 as it uses 32 bit IP addresses when generating the session keys for its exchange.
If you need AD->LDAP direction IIRC the Windows part of 389's DC password interceptor is also open source.
Ah, hadn't seen that. Most M$ shops I've worked with won't install 3rd party plugins on their DCs though, which is why I've only paid attention to the M$ plugin.
Yeah, most AD admins are very cautious with what's running on a DC (quite understandable), hence the web service approach...
Ciao, Michael.
On 07/04/14 09:57 -0300, Rogério Augusto Rondini wrote:
I need to implement password sync between AD and OpenLDAP using an IDM tool.
I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
You can capture cleartext passwords using the libsasl 'auto_transition' option, although that requires a specific usage scenario. You'd need to be authenticating against slapd using SASL LOGIN or PLAIN (or perhaps sasl pass-through) with a saslauthd daemon authenticating against AD. Like this in your sasl slapd.conf config:
pwcheck_method: saslauthd mech_list: plain login auto_transition: yes
Your saslauthd daemon would need to use the ldap or kerberos backends to authenticate against AD.
The clear text password should get stored into userPassword by way of the slapd auxprop plugin.
openldap-technical@openldap.org