[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Passthrough Authentication? (fwd)

If your PDC is Win2k, I think you can use sasl+kerberos ( I've never actually done it ), no external packages needed.

If you want to keep your credential information in OpenLDAP but just want to synchronize accounts and passwords to windows, you can try OpenLDAP replica+backperl on the windows PDC and a perlModule. This method would work with WinNT as well.

Here's an windows bind method for backperl that uses ADSI.

sub bind
	my $debug = 3;
	# 'this' pointer, ala C++
	# OO perl is all the rage.
	my $this	= shift;
	# dn trying to bind as
	my $dn		= shift;
	# password supplied with this dn
	my $pass	= shift;

	# expects first attribute in dn to be principle name
	# removes first attribute
	my $rest	= (split('=',$dn,2))[1];
	# splint the rest of the dn into 2 parts
	my ($uid, $ou)	= (split(',',$rest,2));

	# LDAP URL of the domain
	my $ou		= "LDAP://".$ou;

	print ">>>>>>>pass = '$pass'\nou = '$ou'\nuid = '$uid'\n" if( $debug > 2 );

	# Specify that we're using LDAP
	my $objNameSpace	= Win32::OLE->GetObject ('LDAP:');
	if( ! defined $objNameSpace )
		print "ERROR: Could not creat LDAP object\n" if( $debug > 0 );
		return 1;

	# Try to bind as the user
	my $objObjSec		= $objNameSpace->OpenDSObject($ou, $uid, $pass, 1);
	# Find out if we were successful
	my $retval		= Win32::OLE->LastError();

	# If we weren't those variables may not be defined.
	# If they are, close them.
	$objObjSec->Close if( defined $objObjSec );
	$objNameSpace->Close if( defined $objNameSpace );

	# Return 0 for success, 1 for failure.
	$retval = 1 if $retval;
	return $retval;

Paul Reilly wrote:
Looks like this didn't make it through to the openldap-software
list. Does anyone know if anything like this exists?

---------- Forwarded message ----------
Date: Thu, 27 Jun 2002 19:33:30 +0100 (IST)
From: Paul Reilly <pareilly@tcd.ie>


Are there any packages for OpenLDAP which provide passthrough
authentication for bind operations to a windows PDC? I'm looking
for something along the lines of this for OpenLDAP:


But apparantly this only works with iPlanet.