Michael Ströder wrote:
Howard Chu wrote:
> Clément OUDOT wrote:
>> 2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini
>> Hi folks,
>> I need to implement password sync between AD and OpenLDAP using an IDM
>> I want to know how to capture clear text password in OpenLDAP before
>> encryption so that I can sync with AD and potentially with others user
> There is also Microsoft's SSO plugin. Discussed it briefly here
Isn't that the other way round?
It's bidirectional, using PAM.
The original poster wrote:
"I want to know how to capture clear text password in OpenLDAP"
So pointing to e.g. slapo-smbk5pwd source would be the right, wouldn't it?
Eh. Maybe. It's trivial to update passwords on AD from OpenLDAP - just write
an overlay to intercept changes to userPassword and pad the data to 16-bit
characters and send to AD as a Modify request on UnicodePwd. Coming back the
other direction is the harder part, which is where the Microsoft SSO plugin
> It's been several years since I last looked at this. I just
pulled down the
> Unix source code again today, it appears to only support IPv4 as it uses 32
> bit IP addresses when generating the session keys for its exchange.
If you need AD->LDAP direction IIRC the Windows part of 389's DC password
interceptor is also open source.
Ah, hadn't seen that. Most M$ shops I've worked with won't install 3rd party
plugins on their DCs though, which is why I've only paid attention to the M$
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/