[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: password synchronzation

> Is there an openLDAP interface (perhaps perl-backend) that will allow me
> to intercept LDAP password changes so that I can distribute the changes
> to all my other systems (assume I have the tools to update the other
> systems' passwords).
> For example, I could write a perl script to check the password strength
> and then update all my other systems and LDAP.  Where/how can I slot
> this script into openLDAP?

the native way to do this would be with an overlay.  Check directory
servers/slapd/overlays for examples and essential documentation.

Of course, you need to use latest 2.2, and preferably HEAD.


> --
>   Simon Oliver
>> -----Original Message-----
>> From: Howard Chu [mailto:hyc@highlandsun.com]
>> Sent: 31 March 2004 10:28
>> To: 'Simon Oliver'; OpenLDAP-software@OpenLDAP.org
>> Subject: RE: password synchronzation
>> > -----Original Message-----
>> > From: owner-openldap-software@OpenLDAP.org
>> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
>> Simon Oliver
>> > I have a heterogeneous network.  I want to use LDAP as the
>> "truth" for
>> > account data/credentials.
>> >
>> > I need a system for two-way synchronization of password changes
>> between the various systems (NT domain, Samba, SQL
>> Database, UNIX PAM,
>> > etc), using LDAP
>> > as the master.
>> >
>> > I can install a password filter on the NT PDC to update
>> LDAP passwords
>> > and I believe there are PAM options to do this for UNIX.
>> Since none of these items you list are themselves pieces of
>> OpenLDAP software, the relevance to this list seems pretty
>> low. It might be more appropriate for the general LDAP list
>> (ldap@umich.edu).
>> Most of the systems you're interested in already have LDAP
>> support, so solving those is a no-brainer. E.g. PADL's
>> pam_ldap for Unix PAM, Samba already has native LDAP support.
>> Since they reference LDAP directly there is no
>> synchronization tool required.
>> SQL Database - there are so many different SQL databases, and
>> the answer depends on which specific one you want. I note
>> that Symas has a LDAP agents that allow management of Oracle
>> and Informix accounts. We also have another agent for
>> managing NT PDCs via LDAP. In these cases, synchronization is
>> a simple matter of replication from an OpenLDAP master to
>> each of these agents.
>> > What I need is an openLDAP tool/interface to update the
>> other systems
>> > as and when the LDAP password is changed.  Any ideas?
>> With the right infrastructure, OpenLDAP slurpd will do the
>> updating. As for other tools/interfaces, all of Symas' agents
>> are built using the OpenLDAP libraries. It's certainly
>> feasible for you to write your own using OpenLDAP software.
>>   -- Howard Chu
>>   Chief Architect, Symas Corp.       Director, Highland Sun
>>   http://www.symas.com               http://highlandsun.com/hyc
>>   Symas: Premier OpenSource Development and Support

Pierangelo Masarati