[horde] [Fwd: Re: Authentication to a Windows 2003 ADS]

aferreira@gaiajoy.com aferreira at gaiajoy.com
Mon Nov 28 12:43:41 PST 2005


Been there, done that... well I'm currently in a beta phase of it.

I've developed a system that uses qmail-ldap,spamassassin, 
qmail-scanner with av, ftp (pureftp) for file transfer, courier imap, 
and of course, the horde framework (latest version) for everything else.

It is possible, but its not that simple.
M$ AD breaks stardard ldap implementations and schemas that the 
software above uses.
You cannot simply bind to the directory and check the user's password. 
This is done by the software mentioned, but not by the win2k AD auth. 
The password's hash is hidden, and you can only use ADSI to check it.

The main trick here is to use the rebind feature present in qmail, imap 
courier and through a patch/hack in  pureftpd.
In other words, DO NOT bind to the AD with the manager's password, BUT 
with the supplied users credentials. This is known as rebinding.
If the rebinding isn't sucessfull, either the user doesn't exists or 
the password is wrong.
And it's safer, because you don't need the manager's password for anything.

However, if you wish to add extra user attributes, like mail quota, 
which aren't present in the AD schema, you'll have to *extend* the AD 
schema, that is, adding the missing attributes, through a special 
procedure, using the AD's schema snap-in. Adding attributes in AD is 
dangerous, because it's a one-way process were no mistakes are allowed. 
Use a test system first.

Good luck,
Alex

Quoting Jon-Michael DeShazer <jdeshazer at horanandmcconaty.com>:

> What settings do I need to make within horde to allow this?
>
> -------- Original Message --------
> Subject: 	Re: [horde] Authentication to a Windows 2003 ADS
> Date: 	Mon, 28 Nov 2005 13:27:09 -0500
> From: 	ToddVBanks <todd.banks at toddvbanks.com>
> To: 	<horde at lists.horde.org>
>
>
>
> You can use LDAP authentication to in against the AD.
>
> -----Original Message-----
> From: "Jon-Michael DeShazer" <jdeshazer at horanandmcconaty.com>
> Sent: 2005-11-28 1:14:17 PM
> To: "horde at lists.horde.org" <horde at lists.horde.org>
> Cc: Subject: [horde] Authentication to a Windows 2003 ADS
>
> Is this possible, or am I going to have to enter in hundreds of user 
> names so they can use the Horde framework?  How would I set up 
> authentication using a Windows 2003 server?
>
> [truncated by sender]
> -- 
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
>
>
> -- 
> Jon-Michael DeShazer
>
> IT Manager
>
> Horan & McConaty
>
> (303)745-1771 ext. 235
>
> Get Thunderbird <http://www.mozilla.org/products/thunderbird/>
>
>





More information about the horde mailing list