Change Password to Multiple Directories?
307 views
Skip to first unread message
Kirk
Feb 28, 2012, 5:41:14 PM2/28/12
to pwm-general
Hello:
I've been reading the documentation and working with some developers
on testing PWM. I was wondering if PWM can commit the same password
change to more than one directory - something like this scenario:
1.) All of the schema additions / attributes in OpenLDAP.
2.) User security questions stored in OpenLDAP.
3.) User successfully answers security questions and changes password
in OpenLDAP.
4.) PWM commits the same password change to OpenLDAP and then also to
Active Directory.
We have had considerable trouble with Password Synchronization
products, and we hoped to use this as an alternative.
Thanks in advance,
Kirk
I've been reading the documentation and working with some developers
on testing PWM. I was wondering if PWM can commit the same password
change to more than one directory - something like this scenario:
1.) All of the schema additions / attributes in OpenLDAP.
2.) User security questions stored in OpenLDAP.
3.) User successfully answers security questions and changes password
in OpenLDAP.
4.) PWM commits the same password change to OpenLDAP and then also to
Active Directory.
We have had considerable trouble with Password Synchronization
products, and we hoped to use this as an alternative.
Thanks in advance,
Kirk
Dhivakaran Muruganantham
Feb 28, 2012, 6:41:09 PM2/28/12
to pwm-g...@googlegroups.com
I believe what you are talking about is LDAP Replica.
This is what i have...
- Primary Master and Secondary master in Multi Master mode
- PWM System connected to Primary master for password management
- 3 LDAP instances as configured as Consumers connected to Primary Master
- The Consumer LDAP instances are the one used by Applications and other services which needs ldap based user account authentication.
User login to PWM system and changes the password with Master LDAP.
Application login works almost immediately with the Consumer ldap.
I haven't configured any consumer ldap instances of type OpenLDAP /Active Directory.
I think setting up Consumer Instance of Active Directory may require more work. Because Active Directory uses 'CN=' in its tree, where as other Directory uses 'OU=' a lot. At least thats my understanding.
thanks
dhiva
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
Kirk Cless
Feb 29, 2012, 8:15:54 AM2/29/12
to pwm-g...@googlegroups.com
Hello Dhiva:
Thank you for your reply.
We do use multi-master replication to maintain fault tolerance of our LDAP directory store, and we maintain several domain controllers in Active Directory to do the same for it. But, what I'm trying to accomplish is password synchronization between LDAP and Active Directory. We have been unsuccessful with the Password Synchronization offered by 389 Directory Server (http://directory.fedoraproject.org/wiki/Howto:WindowsSync)
I was hoping that PWM could somehow commit the same password change to a user ins each directory, provided that the uid / sAMAccountName were the same.
Thanks,
Kirk
Thank you for your reply.
We do use multi-master replication to maintain fault tolerance of our LDAP directory store, and we maintain several domain controllers in Active Directory to do the same for it. But, what I'm trying to accomplish is password synchronization between LDAP and Active Directory. We have been unsuccessful with the Password Synchronization offered by 389 Directory Server (http://directory.fedoraproject.org/wiki/Howto:WindowsSync)
I was hoping that PWM could somehow commit the same password change to a user ins each directory, provided that the uid / sAMAccountName were the same.
Thanks,
Kirk
Joshua Ellsworth
Feb 29, 2012, 8:50:30 AM2/29/12
to pwm-g...@googlegroups.com
Me too! We have multiple environments that we cannot simply replicate for various reasons. I would really like it if PWM could somehow commit password changes to multiple LDAPs.
Menno Pieters
Feb 29, 2012, 9:00:45 AM2/29/12
to pwm-g...@googlegroups.com, Kirk Cless
On 29-02-12 14:15, Kirk Cless wrote:
> Hello Dhiva:
>
> Thank you for your reply.
>
> We do use multi-master replication to maintain fault tolerance of our
> LDAP directory store, and we maintain several domain controllers in
> Active Directory to do the same for it. But, what I'm trying to
> accomplish is password synchronization between LDAP and Active
> Directory. We have been unsuccessful with the Password
> Synchronization offered by 389 Directory Server
> (http://directory.fedoraproject.org/wiki/Howto:WindowsSync)
>
> I was hoping that PWM could somehow commit the same password change to
> a user ins each directory, provided that the uid / sAMAccountName were
> the same.
PWM has the option to use an external Java class for setting a password.> Hello Dhiva:
>
> Thank you for your reply.
>
> We do use multi-master replication to maintain fault tolerance of our
> LDAP directory store, and we maintain several domain controllers in
> Active Directory to do the same for it. But, what I'm trying to
> accomplish is password synchronization between LDAP and Active
> Directory. We have been unsuccessful with the Password
> Synchronization offered by 389 Directory Server
> (http://directory.fedoraproject.org/wiki/Howto:WindowsSync)
>
> I was hoping that PWM could somehow commit the same password change to
> a user ins each directory, provided that the uid / sAMAccountName were
> the same.
This option can be found under the Integration/Developer section of the
configuration (enable View --> Show Advanced Settings). In previous
versions (before the current SVN release) it was found under Miscelaneous.
Recently another option has been added to call a REST interface to
change an external password.
Regards,
Menno
Juancar
Mar 21, 2012, 3:23:04 AM3/21/12
to pwm-general
Kirk, though this topic should handled off this list, I'm dealing with
practically your same scenario. We're migrating app auth from AD to
Fedora and thus we need to stablish password sync between them. So far
we have found no problems at all with the windowssync offered by
Fedora.
practically your same scenario. We're migrating app auth from AD to
Fedora and thus we need to stablish password sync between them. So far
we have found no problems at all with the windowssync offered by
Fedora.
Reply all
Reply to author
Forward
0 new messages