[lsc-users] May solution for password sync between openldap and Active directory

Mon, 02 Mar 2015 05:45:12 -0800 

Hi folks,
here a description for Password sync:
Until last year we are using openldap as password server, for administrating the ldap we uses Ldap Acces Manager (lam) and phpldapadmin. Wenn a new user is created, we give them a standardpassord, and the user could use the self service from lam to change the password for its own needs. 


Now, for technical reason we have to use an AD, the implementation was 
on a Debian 7 with samba 4.1. For the user and group sync we are using 
LSC, which works fine. The only problem was the password sync.



for this reason we are now using LAM pro, LAM is free, for LAM Pro you 
have to pay nearly 250 €. the reason why we buy ist the possibility of 
Custom scripts. Custom scripts will be called after ore before any 
operation on the Openldap. In these case we are using the post modify of 
the self service.



Here the call:  "PostModify /usr/bin/syncPW.sh $cn$ 
$INFO.userPasswordClearText$"


The parameters are the ldap cn and the password in cleartext of the user.


The next problem was that the samba-tool which changes passwords on 
commandline runs only in root mode.


So i write a Phyton script:

username = sys.argv[1]
new_pass = sys.argv[2]

new_password = ('"%s"' % new_pass).encode("utf-16-le")

try:
        con.simple_bind_s( "user", "password" )


        mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', new_password),( 
ldap.MOD_REPLACE, 'unicodePwd', new_password)]
        con.modify_s('cn=%s,cn=Users,dc=exampledom,DC=example,DC=de' % 
username, mod_attrs)

except:
        raise
else:
        print "Successfully changed password."



The next problem was that the password for the bind was in cleartext in 
the python script, so we uses the python compile to compile the script 
to an byte-stream, to make it unreadable.



Now the shellscript from selfservice calls the python interpreter with 
two parameters cn and password, and then the password will be changed on 
the AD


Regards


--
--
signatur Uwe
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users














    











					Reply via email to