[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5042) Contribution: Active Directory Password Cache

To: openldap-its@OpenLDAP.org
Subject: (ITS#5042) Contribution: Active Directory Password Cache
From: s.hetze@linux-ag.de
Date: Thu, 12 Jul 2007 17:06:42 GMT

Full_Name: Sebastian Hetze
Version: 2.3.30
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Sebastian-Hetze-pgk-070712.tgz
Submission from: (NULL) (212.21.78.130)


Hi *,

in your FTP incoming you find a piece of software that we would like to
contribute
to the slapd-modules collection.

We hope you find it useful and we would very much like to receive feedback
about
useability, ideas for improvements and (in the very unlikely case of occurance
;-)
bugreports and fixes.


Best regards

  Sebastian Hetze

------------------------------------------------------------------------------------


Active Directory Password Cache
===============================


Active Directory does not provide any means to read user credentials on any
public
API. It is possible, to install additional libraries as password sniffer to
catch and forward cleartext passwords on changes. In case you cannot or simply
dont
want to install such libraries, the Active Directory Password Cache overlay
is your option.

The Active Directory Password Cache overlay allows to mirror user account
credentials without any modification on the AD server. It only takes one
occasional simple bind authentication against the OpenLDAP server.

If the credential has not been mirrored yet, the overlay uses the
krbPrincipalName
and the password provided by the user to perform a Kerberos init against the
Active Directory. A successful Kerberos init guarantees a correct password for
this principal, and therefor the bind finally succeeds.

Within this overlay operation, the password gets encrypted with the default
OpenLDAP hash alorithm and stored as userPassword attribute. There is an option
to update the sambaNTPassword also (using code borrowed from Howard Chu's
smbk5pwd overlay). All following simple bind authentications will first try
these cached credentials, making the OpenLDAP server independent from AD.

In case the user changes its password on the Active Directory server, the old
password stays valid in OpenLDAP until the user first presents the new password
for an simple bind. Within this bind operation, the overlay performs another
Kerberos init and updates the cached credentials in OpenLDAP.

Prev by Date: Re: Can't delete user using DN (Error 32) or add user using DN (Error 68)
Next by Date: (ITS#5043) double free in slapo-rwm when rewriting search filters
Index(es):
- Chronological
- Thread