2010/6/30 Gunter Holzer <[email protected]>: > Hi, > > thank you for your answer. > > I already use lsc (great software btw.) for user and group sync from OpenLDAP > to AD. > My passwords in OpenLDAP are ssha encrypted - so I only have a password hash. > I am not allowed to make any changes to the OpenLDAP System. So I can´t use > MS IDMU/ Services for Unix with PAM. > > The only way I see, is to change the password with a web application in both > directories... > Or do you have any other suggestions? > > Thank you! > > Regards, > > Gunter Holzer >
I see. I think it could be really ugly in your case. But one way to do that is (personnaly tested with multiple referential: sql, ad and classical ldap server): - Build an intermediate ldap server which is only used to synchronize password; - Configure a LSC task to maintain identities from your main openldap server to the intermediate one. - SSP store user password in clear into the intermediate one; - Configure a LSC task to detect clear passwords: on each password found, hash it into userPassword attribute, and encrypt it into a additionnal attribute (userPasswordEnc for example) with a symetric key; - Configure a LSC task to synchronize all userPasswordEnc value to AD, if the synchronization is successfull, then delete the temporary attribute called userPasswordEnc. The main avantage is you could replay password synchronization (because LSC have clear value by decrypting userPasswordEnc). As you can see, it is not so easy :) Cheers, Thomas. -- Thomas Chemineau _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
