Hi
as far as now I had some applications I wanted to make work with AD
authentication to simplify user's day by day work. Actually my issues was
for Linux based systems and web applications (not running on IIS) that
needded to authenticate users againist AD domain. If you consider that there
are many programs supporting Active Directory authentication, there are many
more that supports LDAP authentication methods. AD is an LDAPv3 tree. I have
worked on few helpers for internal use (such as for Squid and for web
applications) that tries to bind to the LDAP tree using the given
credentials (passed via a web form or via an external call from programs).
If the binding was successfull, access is granted and the user can log in.
No double user repositories, no need for replicating or capturing the
passwords as they are changed on the domain. Furthermore, what happens if
the user account is locked for security reason? i.e. the account expires,
user is forced to change his password, account is locked? You will need to
synchronize such information as well.
All this, as usual, IMHO.
Best regards,
Sebastian Zdrojewski
Senior System & Network Administrator
Tel: +39 02.62.610.317
Mobile: +39 347.6079.096
E-Mail: sebastian.zdrojewski@technomind.it
TECHNOMIND S.p.A.
Via Galileo Galilei, 7 - 20124 Milano
Tel. +39 02.62.610.300 - Fax +39 02.62.610.333
Web: http://www.technomind.it/
________________________________
PRIVACY
Le informazioni contenute in questo messaggio sono riservate e
confidenziali. Il loro utilizzo è consentito esclusivamente al destinatario
del messaggio, per le finalità indicate nel messaggio stesso. Qualora Lei
non fosse la persona a cui il presente messaggio è destinato, La invitiamo
ad eliminarlo dal Suo Sistema ed a distruggere le varie copie o stampe,
dandocene gentilmente comunicazione. Ogni utilizzo improprio è contrario ai
principi del D.lgs 196/03 e alla legislazione Europea (Direttiva
2002/58/CE). Technomind S.p.A. opera in conformità D.lgs 196/2003 a alla
legislazione Europea. Per qualsiasi informazione a riguardo si prega di
contattare la nostra Società all?indirizzo mail: privacy@technomind.it.
The information contained in this message as well as the attached file(s) is
confidential/privileged and is only intended for the person to whom it is
addressed. If the reader of this message is not the intended recipient or
the employee or agent responsible for delivering the message to the intended
recipient, or you have received this communication in error, please be aware
that any dissemination, distribution or duplication is strictly prohibited,
and can be illegal. Please notify us immediately and delete all copies from
your mailbox and other archives. For any further information please contact
our Company at the following email address: privacy@technomind.it.
________________________________
-----Messaggio originale-----
Da: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Inviato: mercoledì 31 agosto 2005 8.27
A: focus-ms@securityfocus.com
Oggetto: Active Directory password external use
Hello list,
I am currently doing a project that requires using the Active
Directory users' password for other purposes other than just
workstation logon or share access.
What I would need to do is detect password change / reset
events on the domain, capture the new password and send it to
another application. This could be done with an agent or
daemon running on the DC machine.
The question is, when a users' password is changed /
resetted, is it possible to externally capture this event and
make use of the password before it is stored in a
non-reversible format inside the active dir.?
What security implications would this have, and what security
measures would you propose for such an agent?
Thanks in advance for your help and best regards, Rodrigo.
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
smime.p7s
Description: S/MIME cryptographic signature
