Re: A possible way to have NT authentic against LDAP (RFI)

[Luke Howard <lukeh@PADL.COM>]

>The API states that this function will be called by the system, from our
>DLL, with the user's name and password.  We can *conceptually* have this
>function run an ldap query to update a foreign ldap server.  I'm
>planning to implement this on windows 2k but the ASDI SDK (windoze's
>ldap SDK) can be installed on win95 or NT4 (I believe).

The password notify API is present as far back as NT 3.51 I believe,
not on Win95 though. Note that it runs in kernel space, so you'll need
something else to make the actual LDAP op.

This still doesn't address how you authenticate the user. The correct
way to do this is to replace the Local Security Authority (LSA) DLL
which is non-trivial. Another way is to write a GINA DLL; this is
the approach NISGINA took, but only applies to interactive logons
and still requires a local account to exist. I would question whether
it's worth the effort when LDAP isn't really an authentication
service.

>On the unix-side, we can wrap the passwd command to do the same thing.

Use pam_ldap.


-- Luke

--
Luke Howard | Darwin Developer | PADL Software Pty Ltd
www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com