[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can OpenLDAP get password from AD

On Fri, Feb 13, 2009 at 04:54:36PM +0700, Duong Pham Tung wrote:

> I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP canât get password field from ADs. So, can OpenLDAP  have other solutions to solve my problem?

This requirement comes up on the mailing lists quite often, so you
would do well to search the archives.

The first thing to understand is that you *cannot* extract password
data from AD because it is not there. AD defers authentication to
Kerberos, which does not store a usable password either.

There are several ways around the problem. One is to use pass-through


Other possibilities are:

	Use back-meta and slapo-rwm to make your AD namespace
	look like the one you want for LDAP.

	Use one of the contributed overlays that do password
	callouts (either to LDAP or directly to Kerberos) and
	store the password in OpenLDAP if it is correct.
	There are at least two choices here, but I don't think
	either has been rolled into the OpenLDAP distribution
	yet so you would have to build them yourself.

You may also want to look at systems to capture passwords on
AD when they are changed. There are several packages that do that
by pretending to be password quality checkers. Microsoft ship
one as part of SFU, there is a free one on Sourceforge, and
most commercial directory synchronisation products have them.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |