[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Active Directory passwords on OpenLdap

you cannot get the AD password, but you can set it. You must use an ssl

some quick excerpt from my process where I generate random passwords
and cram them into AD... because I don't want them to use AD
passwords... they are using the altSecurityIdentity to authenticate to a
different kerb realm..

btw this is totally not related to OpenLdap at this point.. but I
thought I would share.

##Code Sample
use Net::LDAP;
use Net::LDAP::Entry;
use Net::LDAPS;
use MIME::Base64;
use Crypt::RandPasswd;

$BASE = "ou=people,dc=example,dc=com";
$BINDDN = "cn=perlupdate";
$pass = "secret";

$ldap = new Net::LDAPS('adserver.example.com',
        port => '636',
        verify => 'require',
        sslversion => 'sslv3',
        cafile => '/path/to/adserver.cer') or die "$@";
$ldap->bind("$BINDDN,$BASE", password => $pass);

$entry = Net::LDAP::Entry->new;
$entry->add... # lots of these to fill out all attributes for an ad
# ... and if you don't know what attributes are required, 
# ... generate an account with the wizard and then export it..
# ...
my $mesg = $entry->update($ldap);  # the user must be created before
setting the password.
# ...
$psswd = Crypt::RandPasswd->chars(8,14);
$encoded = pack "v*", unpack "C*", qq("$psswd");
my $result = $ldap->modify("cn=$USERNAME,ou=people,dc=example,dc=com",
                replace => {unicodePwd => $encoded} );
#end Code Block

Jonathan Higgins
IT R&D Project Manager
Kennesaw State University

>>> "Thomas Vincent" <tvincent@2wire.com> 8/6/2004 9:59:57 AM >>>

You basically can pull any attribute out of AD but the password. You
need to buy a commercial product to do that. RIght now I am syncing
accounts between AD and OpenLDAP using everything but the password. 


-----Original Message-----
From: owner-openldap-software@OpenLDAP.org on behalf of Rafa
Sent: Fri 8/6/2004 2:55 AM
To: openldap-software@OpenLDAP.org 
Subject: Active Directory passwords on OpenLdap
Hello everyone.

I'm making a data loading program. It manages several sources and 
integrates them into an OpenLdap structure. A part of this structure 
stores users information for other programs, and a field of that 
information is the user password.  The data source of this password is

an Active Directory service. The idea is that users use this OpenLdap
log in instead of  AD.

My question is, can I read and write directly from AD to OpenLdap or do

I have to do some intermediate treatment? perhaps, for example,
encodings are different and I have to decode and recode.