[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple LDAP to LDAP Integration

--On Wednesday, April 20, 2011 01:59:18 PM -0400 Alejandro Imass <ait@p2ee.org> wrote:

On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister <whm@stanford.edu> wrote:

--On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass
<ait@p2ee.org> wrote:



One way to do this is to configure your OpenLDAP server to generate an
accesslog. ÂThey you read the accesslog looking for any changes and
apply the changes to your downstream datastore whatever it is. ÂWe do
this using perl and Net::LDAPapi. ÂI can provide an example if you are

Hi Bill, thank you *very* much for your prompt reply.
One question (actually 2) though before I ask for the trouble of
providing an example.... do you get the clear text passwd on the
accesslog? is the the log an LDIF format? It's not that I really need
clear text, but I need to compute the corresponding password hashes
for MS-AD. are you guys able to change the password fields as well? or
are you just copying the hashes from one to the other? how does this
work with the accesslog method?

We don't store passwords in the directory.  Central authentication at
Stanford is provided by Kerberos.

You can think of the accesslog as just another backend database.  You
get information out of it by doing LDAP queries with your tool of
choice.  If you store passwords in the directory as hashes then when
you query the accesslog the value that is returned will be the hash
that is stored in the directory.


Again many thanks because I really feel that this could be a practical
KISS way of integrating this.



Bill MacAllister
Infrastructure Delivery Group, Stanford University