[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap replication over XMPP

David Boreham wrote:
On 7/23/2010 1:35 PM, Howard Chu wrote:
passwordSync:  What are you thinking here? DLL that recognizes password
changes and creates apropriate hashes and syncs these into OpenLDAP, or

Yes. Bi-directionally, of course - it should also intercept LDAP
passwordModify requests and forward them to AD.

Can the FDS/389 password sync client be used or are there license issues
with it (I presume it'll be GPL like the rest of FDS) ?
If you can use it, then some or perhaps all of the work on the Windows
end can be avoided.
It talks to the DS via LDAP, I think with some minimal extensions (it's
been a long time
since I looked at the code so I'm not 100% sure).

There's also code in FDS to send changes to AD via LDAP (including
password changes).
Whether or not that code would be useful I'm not sure. It'd certainly be
useful as a reference
for how to talk to AD successfully. Possibly there's similar code in
other projects too.
There are a few hoops you need to jump through in order to get password
changes into AD
successfully, iirc.

Right, you can make password changes by encoding the password in UTF-16 and modifying the AD "unicodePwd" attribute, assuming you have the cleartext of the password. If your schema matches, sending updates to AD in general is not a big deal.

The only part that requires custom work is the agent that receives password updates from an AD DC, since that uses a special process on the AD DC and a dedicated protocol of its own.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/