[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-perl and password/user synchronization

To: "Kervin Pierre" <kpierre@fit.edu>, <openldap-software@OpenLDAP.org>
Subject: RE: back-perl and password/user synchronization
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 6 Feb 2002 04:39:17 -0800
Importance: Normal
In-reply-to: <3C60C922.1040601@fit.edu>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kervin Pierre

> Hi,
>
> I am looking into a project to get password/user synchronization between
> Windows 2000 and various UNIX systems using OpenLDAP.
>
> I would like the main user repository to be a ldap server, so solutions
> like SAMBA's winbind and PAM Kerberos have been ruled out.
>
> My plan is to use back-perl and a perl script on the main ldap server
> that would route any add/delete/modify queries request concerning
> entries in the user or group organizational units, to an a OpenLDAP
> server on Windows 2000 and also to a server running on a UNIX
> server. eg...
>
>                                      --> main Win2K OpenLDAP server
>                                     |
> ldap query --> OpenLDAP/back-perl--
>                                     |
>                                      --> main UNIX OpenLDAP server
>
> On Win2k, I'd like the back-perl to catch the ldap queries concerning
> modify accounts and process those via our user administration scripts.
> Is back-perl available on Win2K?  If it is not, would it be a
> significant under taking to port it over to Win2K?
>
> I am new to back-perl, is it even capable of passing the query strings
> to external perl programs?  Has anyone else done anything like this?

I don't think back-perl has even been supported on Unix for a couple of
years
now, let alone Windows. The last time I looked at anything like this was at
least that long ago. You need to build perl as a DLL, first of all. And of
course you have to make sure that the perl you build is the one that
OpenLDAP
finds and uses otherwise most of the perl symbols will be unresolved.
(Thanks to the nightmare of perl's internal data structures, which are
organized at least three different ways using ifdef's, depending on whether
you're building single-threaded, multi-threaded, standalone or embedded.
What an abominable mess, makes using libperl portably a near
impossibility...)

As far was what back-perl can do - you configure it with the pathname of a
module to load, and the module provides entry points for the various LDAP
operations. What you do from there is up to you, you can spawn whatever you
like. But there are some big questions before you get that far - can you
build the perl library on Windows? Can you configure back-perl successfully?

...

You really don't need the intermediate LDAP server with back-perl to fan out
the requests, you could just go straight to one of the main servers and use
slurpd to keep the other server updated. As for using OpenLDAP on Win2K to
provide Windows user account info, I believe that is still impossible at
this point in time. At least, in the context of W2K domains and
ActiveDirectory, you need to do a lot more work before you can make it
happen. If you're not working with W2K domain authentication I guess it's
more feasible.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- back-perl and password/user synchronization
  - From: Kervin Pierre <kpierre@fit.edu>

Prev by Date: Re: Kerberos and LDAP account creation
Next by Date: Re:
Index(es):
- Chronological
- Thread