Password Synchronization

Changes originating in Linux

In addition to the authentication and authorisation functions, PAM (see Section ) offers an interface for changing passwords. However, its implementation in pam_ldap was not capable of changing passwords in Active Directory. To change passwords in Active Directory via LDAP, the following requirements have to be fulfilled:

1.

The LDAP connection has to be made over SSL with an encryption algorithm that supports at least 128-bit session keys. [67]

2.a)

The old and new password must be provided -or-

2.b)

The new password is provided and the operation is performed by someone who has the ``Reset Password'' right for the entry.

3.

Passwords have to be provided in the syntax of the ``unicodePwd'' attribute. To construct a ``unicodePwd'' value from a Unix password, the password is surrounded by double quoting marks (") and converted to a two-byte Unicode (UCS-2) representation in network byte order (little endian). The conversion to Unicode is straightforward for ASCII characters, as the ordinal numbers for ISO-8859-1, of which ASCII is a subset, are equal to the ones for Unicode.

To implement this scheme in pam_ldap two patches have been written in the frame of this thesis. The first one allows LDAP over SSL (LDAPS) connections using the OpenLDAP 2.0 SDK^14.1. The second patch implements the conversion routine for ``unicodePwd'' described above. Both patches have been integrated into pam_ldap in version 86.

Changes originating in Windows 2000

In Windows 2000 Password Filters offer a way of implementing password policies and change notifications. [65] To synchronize password changes with Linux, a password filter DLL (LDAPSYNC.DLL) that implements a change notification for an arbitrary LDAP server was written using Microsoft's C LDAP SDK (WLDAP32.LIB).

To initialise the DLL, the InitializeChangeNotify function is called. This routine reads the configuration parameters from the registry and opens an SSL connection to the specified LDAP server. It also initialises error reporting with the Event Log service and builds a printf format string (dnFormatString) that will be used to construct the DN of the entry whose password is to be changed. Since only the new password is provided as parameter in the PasswordChangeNotify function, the DLL has to authenticate itself as someone who may reset a user's passwords. As the configuration parameters include the DN and password of an administrative user to the LDAP directory, the registry values must only be accessible to the Windows system and trusted users.

On a successful password change request, the Local Security Authority (LSA) calls the PasswordChangeNotify function. It first constructs the DN of the entry to be changed from the UserName parameter using the dnFormatString. Then an LDAP modify request is issued to update the password.

To build LDAPSYNC.DLL, the following components are required:

ldapsync.c, the source code for the library.

messages.mc, a resource file that specifies the DDL's error messages. This is required to make use of Windows' EventLog service.

ldapsync.rc, this resource file specifies the version information and includes the binary resource files generated by the message comipler (mc) from the above file.

Makefile, specifies how to link all parts to create the DLL.