I'm back on this old question, because I'm now really working on it.
Andrew Bartlett a écrit :
Second, I was looking at better way to sync users accounts between our
new ldap-backed heimdal kdc and our windows AD. Currently, we have an
automated task synchronising user entries into Windows LDAP from our
Unix LDAP hourly, and a password-management CGI propagating password
changes to both systems (using an ugly VB CGI on windows side to
effectively change the password). I was wondering if the password
handling stuff could be merged with the ldap synchronisation task, now
we store kerberos keys in LDAP.
Windows does not allow the password attributes to be manipulated like
that. You could potentially read and set passwords with Samba4's
DRSUAPI synchronisation, but you can't do it with just Heimdal or just
LDAP.
I succeded setting or changing the unicodePwd attribute in AD, through
pure LDAP operation. It allows me to pass autentication when trying to
open a remote desktop sessions (which immediatly fails for authorization
issue). But I guess it isn't enough to handle the kerberos part of AD
authentication system.
From http://wiki.samba.org/index.php/Samba4/ActiveDirectory#DRSUAPI, it
seems than this API is far from being usable now.
As I doubt from your answer it's not, I'm still interested about best
way to handle AD user accounts remotely, without local windows code
relay. Is there any issue directly modifying AD base through LDAP
connection ? My windows colleage currently prefers to dump LDIF entries,
and import them through a windows-specific tool. And how to set windows
password from perl code ? I'm currently biased toward using an external
smbpassword call, but maybe are they better ways.
You could certainly run Samba tools to set the user's password, if you
wanted.
Well, smbpassword (from samba 3) allows one user to change its password,
provided he knows its current one. But from the man page, it seems
impossible to use it with a privilegiated account (member of account
operation group) to change someone's else password against an AD controller.
So, am I missing something if I use ldap operation to at least set up an
initial password for the user, then have him use smbpassword to make it
fully operational ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
