NT pass-through plugin code released on SourceForge
Kartik Subbarao
iPlanet Directory Server running on Linux and HP-UX. This plugin allows
you to leverage an existing NT domain infrastructure for LDAP
pass-through authentication, saving you the trouble of managing or
synchronizing individual userPassword attributes for each user.
For more information on how the plugin works, see below. You can
download the plugin at:
http://prdownloads.sourceforge.net/dsntauth/ntauth-1.0.tar.gz
The main project page is:
http://sourceforge.net/projects/dsntauth
The code is licensed under the GPL.
We're eager to get feedback, and welcome anyone who is interested in
participating to join the project.
Cheers,
Neil Dunbar and Kartik Subbarao
How it works
============
To illustrate how the plugin works, take the following excerpts from two
entries in an LDAP Directory:
dn: uid=neil_...@hp.com, ou=Employees, o=hp.com
cn: Neil Dunbar
uid: neil_...@hp.com
ntUserDomainID: EUROPE1:nd
dn: uid=kartik_...@hp.com, ou=Employees, o=hp.com
cn: Kartik Subbarao
uid: kartik_...@hp.com
ntUserDomainID: ATLANTA2:kssu
When Neil Dunbar binds to the LDAP server with his distinguished name
and password, an authentication request is sent to a domain controller
for the EUROPE1 domain. This request attempts to authenticate the user
"nd" using the password in the LDAP bind request. If the domain
controller replies with a successful response, the bind is allowed,
otherwise it is rejected.
Similarly, when Kartik Subbarao binds to the LDAP server with his
distinguished name and password, a request is sent to a domain
controller for the ATLANTA2 domain to authenticate the user kssu in the
ATLANTA2 domain.
Currently, the plugin is written for iPlanet's Directory Server product.
We are looking at porting it to OpenLDAP as well. The plugin has been
tested extensively on Linux and HP-UX, and is likely to run on most
other Unix platforms as well. As a security measure, binds are only
accepted on port 636 (the standard LDAP/SSL port).