[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Active directory and openldap

To: <Francois.Bourget@USherbrooke.ca>
Subject: Re: Active directory and openldap
From: "Lon Tierney" <ltierney@mykungfuisthebest.net>
Date: Wed, 21 May 2003 09:13:23 -0700 (PDT)
Cc: <OpenLDAP-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <BAF07083.14BA%Francois.Bourget@USherbrooke.ca>
References: <BAF07083.14BA%Francois.Bourget@USherbrooke.ca>

What you will soon find is that you have to replicate all userPassword
values to AD in the clear - AD can not accept hashed or encrypted values.
So, if you store the passwords in the clear in your OpenLDAP server, you
should be fine.

Most people (myself included) are very uneasy about doing that even with
ACIs (as no one should be able to read someone's password - not even the
administrator). You may find a solution of using PK encryption to secure
the passwords for synchronization to AD, but that will be a very *custom*
solution.

And before you think of making AD the master, know that it won't give up
the userPassword value once it has it. This prevents you synchronizing
other LDAP servers from it.

-lon


> Hello,
>
> Just want to be able to use a Campus-wide Ldap server (openldap) with
> an AD locallay so that our users have the same password. They already
> have the same username all across Campus.
>
> Is it possible to use an Openldap server as a Master, and that server
> feeds an AD domain with usernames and password only in one direction.
> Don¹t need anything esle than username and password (for now)
>
> I looked aroud ans heard of lots of things... MS Services for Unix,
> MSS, Metadirectories... ???#$%
>
> The simplier the better, is it possible ??
>
> TIA,
>
> Francois Bourget
> University of Sherbrooke
> Canada
> F.bourget@usherbrooke.ca

References:
- Active directory and openldap
  - From: François Bourget <Francois.Bourget@USherbrooke.ca>

Prev by Date: Re: Bug with SASL?
Next by Date: adding objectclass and content
Index(es):
- Chronological
- Thread