[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: capture password

To: Rogério Augusto Rondini <rarondini.paradygma@gmail.com>
Subject: Re: capture password
From: Dan White <dwhite@olp.net>
Date: Sat, 5 Jul 2014 00:58:53 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CALjMr90Vgx2DGdxnMMEkACg60YpPg6y=m8+H84cQutvg6Akb7Q@mail.gmail.com>
References: <CALjMr90Vgx2DGdxnMMEkACg60YpPg6y=m8+H84cQutvg6Akb7Q@mail.gmail.com>
User-agent: Mutt/1.5.23 (2014-03-12)

On 07/04/14 09:57 -0300, Rogério Augusto Rondini wrote:

I need to implement password sync between AD and OpenLDAP using an IDM tool.

I want to know how to capture clear text password in OpenLDAP before
encryption so that I can sync with AD and potentially with others user
repositories.


You can capture cleartext passwords using the libsasl 'auto_transition'
option, although that requires a specific usage scenario. You'd need to be
authenticating against slapd using SASL LOGIN or PLAIN (or perhaps sasl
pass-through) with a saslauthd daemon authenticating against AD. Like this
in your sasl slapd.conf config:

pwcheck_method: saslauthd
mech_list: plain login
auto_transition: yes

Your saslauthd daemon would need to use the ldap or kerberos backends to
authenticate against AD.

The clear text password should get stored into userPassword by way of the
slapd auxprop plugin.

--
Dan White

References:
- capture password
  - From: RogÃrio Augusto Rondini <rarondini.paradygma@gmail.com>

Prev by Date: Re: capture password
Next by Date: Addressbook in LDAP ... should be simple right?
Index(es):
- Chronological
- Thread