[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can OpenLDAP get password from AD

To: Duong Pham Tung <duongpt3@fpt.com.vn>
Subject: Re: Can OpenLDAP get password from AD
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Fri, 13 Feb 2009 10:50:36 +0000
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <FE-HN-SRV01bYiMCIqt00000480@fe-hn-srv01.HO.FPT.VN>
References: <FE-HN-SRV01bYiMCIqt00000480@fe-hn-srv01.HO.FPT.VN>
User-agent: Mutt/1.5.13 (2006-08-11)

On Fri, Feb 13, 2009 at 04:54:36PM +0700, Duong Pham Tung wrote:

> I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP canât get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?

This requirement comes up on the mailing lists quite often, so you
would do well to search the archives.

The first thing to understand is that you *cannot* extract password
data from AD because it is not there. AD defers authentication to
Kerberos, which does not store a usable password either.

There are several ways around the problem. One is to use pass-through
authentication:

http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

Other possibilities are:

Use back-meta and slapo-rwm to make your AD namespace
look like the one you want for LDAP.

Use one of the contributed overlays that do password
callouts (either to LDAP or directly to Kerberos) and
store the password in OpenLDAP if it is correct.
There are at least two choices here, but I don't think
either has been rolled into the OpenLDAP distribution
yet so you would have to build them yourself.

You may also want to look at systems to capture passwords on
AD when they are changed. There are several packages that do that
by pretending to be password quality checkers. Microsoft ship
one as part of SFU, there is a free one on Sourceforge, and
most commercial directory synchronisation products have them.

Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------

References:
- Can OpenLDAP get password from AD
  - From: "Duong Pham Tung" <duongpt3@FPT.COM.VN>

Prev by Date: Re: Can OpenLDAP get password from AD
Next by Date: Re: upgrading an openldap v1 ldbm database to a v2 bdb database?
Index(es):
- Chronological
- Thread