R: Active Directory password external use
From: Sebastian Zdrojewski (sebastian.zdrojewski_at_technomind.it)
Date: 09/01/05
- Previous message: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Rodrigo Blanco" <rodrigo.blanco.r@gmail.com> Date: Thu, 1 Sep 2005 00:29:29 -0700
Hi
as far as now I had some applications I wanted to make work with AD
authentication to simplify user's day by day work. Actually my issues
was
for Linux based systems and web applications (not running on IIS) that
needded to authenticate users againist AD domain. If you consider that
there
are many programs supporting Active Directory authentication, there are
many
more that supports LDAP authentication methods. AD is an LDAPv3 tree. I
have
worked on few helpers for internal use (such as for Squid and for web
applications) that tries to bind to the LDAP tree using the given
credentials (passed via a web form or via an external call from
programs).
If the binding was successfull, access is granted and the user can log
in.
No double user repositories, no need for replicating or capturing the
passwords as they are changed on the domain. Furthermore, what happens
if
the user account is locked for security reason? i.e. the account
expires,
user is forced to change his password, account is locked? You will need
to
synchronize such information as well.
All this, as usual, IMHO.
Best regards,
Sebastian Zdrojewski
Senior System & Network Administrator
Tel: +39 02.62.610.317
Mobile: +39 347.6079.096
E-Mail: sebastian.zdrojewski@technomind.it
TECHNOMIND S.p.A.
Via Galileo Galilei, 7 - 20124 Milano
Tel. +39 02.62.610.300 - Fax +39 02.62.610.333
Web: http://www.technomind.it/
________________________________
PRIVACY
Le informazioni contenute in questo messaggio sono riservate e
confidenziali. Il loro utilizzo è consentito esclusivamente al
destinatario
del messaggio, per le finalità indicate nel messaggio stesso. Qualora
Lei
non fosse la persona a cui il presente messaggio è destinato, La
invitiamo
ad eliminarlo dal Suo Sistema ed a distruggere le varie copie o stampe,
dandocene gentilmente comunicazione. Ogni utilizzo improprio è contrario
ai
principi del D.lgs 196/03 e alla legislazione Europea (Direttiva
2002/58/CE). Technomind S.p.A. opera in conformità D.lgs 196/2003 a alla
legislazione Europea. Per qualsiasi informazione a riguardo si prega di
contattare la nostra Società all'indirizzo mail: privacy@technomind.it.
The information contained in this message as well as the attached
file(s) is
confidential/privileged and is only intended for the person to whom it
is
addressed. If the reader of this message is not the intended recipient
or
the employee or agent responsible for delivering the message to the
intended
recipient, or you have received this communication in error, please be
aware
that any dissemination, distribution or duplication is strictly
prohibited,
and can be illegal. Please notify us immediately and delete all copies
from
your mailbox and other archives. For any further information please
contact
our Company at the following email address: privacy@technomind.it.
________________________________
> -----Messaggio originale-----
> Da: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> Inviato: mercoledì 31 agosto 2005 8.27
> A: focus-ms@securityfocus.com
> Oggetto: Active Directory password external use
>
> Hello list,
>
> I am currently doing a project that requires using the Active
> Directory users' password for other purposes other than just
> workstation logon or share access.
>
> What I would need to do is detect password change / reset
> events on the domain, capture the new password and send it to
> another application. This could be done with an agent or
> daemon running on the DC machine.
>
> The question is, when a users' password is changed /
> resetted, is it possible to externally capture this event and
> make use of the password before it is stored in a
> non-reversible format inside the active dir.?
>
> What security implications would this have, and what security
> measures would you propose for such an agent?
>
> Thanks in advance for your help and best regards, Rodrigo.
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
