Integration with Windows Active Directory

[jacalvo@…]

The goal is to have a periodic sincronization (cron script) between our current eBox OpenLdap? and another Windows AD machine.

If this is not possible maybe some of our services could autheticate directly against AD.

The main concern is the stored passwords, currently we need to store them in different formats for different services (samba, asterisk). We don't know if this will be possible with AD.

[jacalvo@…]

At first glance, it doesn't seem possible to get the password of the existent users by any means. However, it seems that there are several methods to be notified of the password changes o a user, or the first password when a new user is created (all these methods require installation of special software on the windows domain controllers).

Would be possible for us that approach? I mean, force a password change on all existent users at the moment of the migration (it should be only one-time operation).

There is another option that I should investigate carefully, it needs a recompilation of slapd with cyrus-sasl support:

 http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

[jacalvo@…]

Example of ldapsearch command to get the info of a Windows AD:

ldapsearch -x -b "dc=FOOBAR" -D "cn=Administrator,cn=users,dc=FOOBAR" -h 192.168.1.140 -W

[jacalvo@…]

eBox modules that need to bind to ldap as root:

*samba *asterisk *egroupware *radius *webserver

eBox modules that as user:

• jabber
• squid
• mail

With the pass-through authentication we probably can get only three modules working, so it doesn't seem a good approach. Furthermore, it strongly depends of the AD machine. If it is down, the pass-through authentication won't work.

We should look at the different options for getting notified of the password changes and store them in our openldap.

[jacalvo@…]

After trying with microsoft services for unix, we have dropped it for several reasons, we are going with the plan B: implementing our own password synchronization solution based on this free software project:  http://sourceforge.net/projects/passwdhk/

[FiNAS]

Are you sure you want to go this way? passwdhk hasn't been updated since 2003. What's the problem with services for unix ?

[jacalvo@…]

Of course I am sure, I don't see another option. Do you think we can modify and restribute microsoft without taking risk of legal problems? (without modifications it's useless)

Please, if you know about any other option that can be better, let us know asap :)

[jacalvo@…]

Sorry, my previous comment was full of typos, I wanted to say "redistribute" and "microsoft code".

[anonymous]

Can you enable my account on the forum to send PM's ?

[FiNAS]

forgot to change the name from anonymous.

[jacalvo@…]

PM's are disabled in the forum, all comments in the forum should be public.

If you want to contact me directly enter irc.freenode.net, channel #ebox (nick _Josh_) or send me an email. (Maybe you can not see my full address due to the spam filter in trac, the domain is ebox-technologies.com)

[jacalvo@…]

first version of client and server for the password notification is done (still needs some improvements as retry in case of fail), also passwdHk has been tested successfully in windows server 2003 (we should also test it in 2008)

Pending stuff:

• integrate everything (ebox interface, cron...)
• polishing (configuration files, windows installer)
• lots of testing

[jacalvo@…]

installer done, integration with ebox almost done, now implementing queue for managing notification errors as windows service

[jacalvo@…]

Done in [15020]

[razrslink@…]

May I ask what steps were taken to implement passwdHk into Windows Server 2003. I have been trying to do this for a while but was not successful. Even while using the example batch file that was included, no output was created. Thanks in advance.

[jacalvo@…]

That's the guide:  http://trac.ebox-platform.com/wiki/Document/Documentation/EBoxActiveDirectorySync

And that's the source code of the windows part:  http://trac.ebox-platform.com/browser/trunk/extra/ebox-ad-passwd-sync-win/

Hope this helps.