[sork] Patch - passwd - LDAP Driver improvements for ActiveDirectory interoperability

Amith Varghese amith at xalan.com
Tue May 4 08:14:18 PDT 2004


Passwd supports TLS already (for LDAP).  Does AD not support this?  Does it
make sense to support both?  Unfortunately I can't test to see if this breaks
normal LDAP operations because my version of HEAD is out of date and I don't
have much time right now.

Amith

Quoting LRM <lrm at ionline.com.br>:

> Jan,
>
> Attached a new revision of the patch, this time with your suggestion,
> removed the _sslconnect function and replaced it with a Boolean parameter
> added to _connect to indicate it's an ssl connection.
>
> Still we need to use the 'sslhost' parameter because on SSL connections, the
> name on the server certificate must match exactly the name of the host you
> are connecting to, else you'll get errors connecting over SSL.
>
> So since this is a change password operation only, the presence of the
> 'sslhost' parameter is enough to tell the code to use ssl on the exact
> specified host only when changing the passwords.
>
> So if the 'sslhost' parameter is missing, the code will use the normal
> 'host' and 'port' parameters to try changing the passwords.
>
> For the other bind and search operations, the 'host' and 'port' parameters
> are still used as before, non-SSL.
>
> Let me know any issues you may find here, thanks.
>
> LRM
>
>
> Zitat von LRM <lrm at ionline.com.br>:
>
>> HEAD - Heres a small patch that adds some features to the original passwd
>> LDAP driver, looking for improvements on the Active Directory
>> interoperability.
>>
>>
>>
>> New attribute 'sslhost' for secure connections to the LDAP Server (must be
>> used url here, "ldaps://localhost/", because of certificate issues).
>>
>> New function _sslconnect, used only when parameter 'sslhost' is present.
>
> As _sslconnect is actually almost identically to _connect, it would make
> more sense to me to use a boolean 'ssl' parameter and prefix the original
> host with ldaps:/ in _connect, if set.
>
>> _lookupdn now tries to connect as the current logged user first, then as
>> guest if it fails.
>>
>> changePassword now also tries to connect using the realm parameter to
> login
>> as the current user on AD.
>
> Can someone using the plain LDAP driver please verify that this patch
> doesn't break anything there?
>
>> Needed this when trying to change users passwords from passwd Horde
>> application on Active Directory domain.
>
> Thanks for the patch, before submitting a new version, please review the
> indentation in your added code.
>
> Jan.
>
> --
> http://www.horde.org - The Horde Project
> http://www.ammma.de - Neue Wege des Lernens
> http://www.tip4all.de - Deine private Tippgemeinschaft
> --
> Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: sork-unsubscribe at lists.horde.org




More information about the sork mailing list