Re: Notification of userPassword change in OpenLDAP?

2010-08-19 Thread Jonathan Clarke 

Hi,

On 18/08/2010 23:24, Tom Leach wrote:

I'm trying to work on a password sync scheme between OpenLDAP and some
systems that use flat Unix passwd/shadow files. I have been able to
update the LDAP server when someone changes their password on the
standalone Unix systems, but I'm having problems trying to get any kind
of notification from the LDAP server if someone from a system using the
LDAP directory changes their password.


I assume you have considered setting up PAM/NSS-ldap on these machines 
instead of rewriting the flat files?



So far, I'm looking at searching the LDAP directory every few minutes
for any entries that have had their modifyTimestamp attribute change
since the last time the search ran, then checking to see if the
userPassword attribute in the LDAP directory is different then the
shadow file on the Unix system. This seems like a real stupid scheme,
especially when passwords are changed infrequently. I just don't want a
long delay between syncing the directory and flat files in case someone
changes their password on an LDAP client, then tries to log into the
flat file system.

Ideally, there could be some option in OpenLDAP that could call an
external program when some attribute(s) have changed. That program could
then perform the necessary searches and update the flat files if
appropriate. So far, I've found nothing indicating that this is possible
so I figured I'd ask and see if anyone else has tried this and what they
found.
Thanks!


Another approach would be to use syncrepl. Performing a search on the 
attribute you're interested in, and using syncrepl's cookie mechanism to 
be notified of changes over a persistent search, or detect changes when 
connecting again would allow you to get this information in your client 
program.


Syncrepl-enabled LDAP libraries are available in several languages now 
(including, IIRC Python and Java).


Take a look at some of these resources to read more about syncrepl:


http://tools.ietf.org/html/rfc4533



http://www.openldap.org/doc/admin24/replication.html#LDAP%20Sync%20Replication



http://blog.normation.com/2010/07/18/java-ldap-sdk-for-syncrepl-replication-showcase/


Hope this helps,
Jonathan
--
--
Jonathan Clarke - jonat...@phillipoux.net
--
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--

Re: Notification of userPassword change in OpenLDAP?

2010-08-18 Thread Howard Chu 

Tom Leach wrote:

I'm trying to work on a password sync scheme between OpenLDAP and some
systems that use flat Unix passwd/shadow files.  I have been able to
update the LDAP server when someone changes their password on the
standalone Unix systems, but I'm having problems trying to get any kind
of notification from the LDAP server if someone from a system using the
LDAP directory changes their password.

So far, I'm looking at searching the LDAP directory every few minutes
for any entries that have had their modifyTimestamp attribute change
since the last time the search ran, then checking to see if the
userPassword attribute in the LDAP directory is different then the
shadow file on the Unix system.  This seems like a real stupid scheme,
especially when passwords are changed infrequently.  I just don't want a
long delay between syncing the directory and flat files in case someone
changes their password on an LDAP client, then tries to log into the
flat file system.

Ideally, there could be some option in OpenLDAP that could call an
external program when some attribute(s) have changed.  That program
could then perform the necessary searches and update the flat files if
appropriate.  So far, I've found nothing indicating that this is
possible so I figured I'd ask and see if anyone else has tried this and
what they found.
Thanks!
Tom Leach
le...@coas.oregonstate.edu

In the old Symas Connexitor EMS product we simply put a slapd on top of 
/etc/passwd, /etc/shadow, and /etc/group (that is, these flat files provide 
the backing store for the database that this slapd exposes) and then replicate 
account updates to it from a central master. You could accomplish much the 
same thing today using a client reading an accesslog DB.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/