David Boreham wrote:
On 7/23/2010 1:35 PM, Howard Chu wrote:
passwordSync: What are you thinking here? DLL that recognizes password
changes and creates apropriate hashes and syncs these into OpenLDAP, or
Yes. Bi-directionally, of course - it should also intercept LDAP
passwordModify requests and forward them to AD.
Can the FDS/389 password sync client be used or are there license issues
with it (I presume it'll be GPL like the rest of FDS) ?
If you can use it, then some or perhaps all of the work on the Windows
end can be avoided.
It talks to the DS via LDAP, I think with some minimal extensions (it's
been a long time
since I looked at the code so I'm not 100% sure).
There's also code in FDS to send changes to AD via LDAP (including
password changes).
Whether or not that code would be useful I'm not sure. It'd certainly be
useful as a reference
for how to talk to AD successfully. Possibly there's similar code in
other projects too.
There are a few hoops you need to jump through in order to get password
changes into AD
successfully, iirc.
Right, you can make password changes by encoding the password in UTF-16 and
modifying the AD "unicodePwd" attribute, assuming you have the cleartext of
the password. If your schema matches, sending updates to AD in general is not
a big deal.
The only part that requires custom work is the agent that receives password
updates from an AD DC, since that uses a special process on the AD DC and a
dedicated protocol of its own.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
