We're happy to announce version 1.0 of an NT authentication plugin for iPlanet Directory Server running on Linux and HP-UX. This plugin allows you to leverage an existing NT domain infrastructure for LDAP pass-through authentication, saving you the trouble of managing or synchronizing individual userPassword attributes for each user. For more information on how the plugin works, see below. You can download the plugin at: http://prdownloads.sourceforge.net/dsntauth/ntauth-1.0.tar.gz The main project page is: http://sourceforge.net/projects/dsntauth The code is licensed under the GPL. We're eager to get feedback, and welcome anyone who is interested in participating to join the project. Cheers, Neil Dunbar and Kartik Subbarao How it works ============ To illustrate how the plugin works, take the following excerpts from two entries in an LDAP Directory: dn: [EMAIL PROTECTED], ou=Employees, o=hp.com cn: Neil Dunbar uid: [EMAIL PROTECTED] ntUserDomainID: EUROPE1:nd dn: [EMAIL PROTECTED], ou=Employees, o=hp.com cn: Kartik Subbarao uid: [EMAIL PROTECTED] ntUserDomainID: ATLANTA2:kssu When Neil Dunbar binds to the LDAP server with his distinguished name and password, an authentication request is sent to a domain controller for the EUROPE1 domain. This request attempts to authenticate the user "nd" using the password in the LDAP bind request. If the domain controller replies with a successful response, the bind is allowed, otherwise it is rejected. Similarly, when Kartik Subbarao binds to the LDAP server with his distinguished name and password, a request is sent to a domain controller for the ATLANTA2 domain to authenticate the user kssu in the ATLANTA2 domain. Currently, the plugin is written for iPlanet's Directory Server product. We are looking at porting it to OpenLDAP as well. The plugin has been tested extensively on Linux and HP-UX, and is likely to run on most other Unix platforms as well. As a security measure, binds are only accepted on port 636 (the standard LDAP/SSL port).
