Projects
key Log In or Register

 
 

www.flickr.com
tres frijoles' photos More of tres frijoles' photos
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script -->
You are here: tearsoffire.org > Projects Web > SoftwareDevelopment > ProjectIdentity > IdentityConnectorActiveDirectory r1 - 24 Mar 2009 - 19:52 - ChristopherPepe
EditAttachPrintable

Start of topic | Skip to actions

IdentityConnectorActiveDirectory

About

The active directory connector allows the manipulation of AD accounts using LDAP calls to the active directory data stores.

Definitions

  • Account Exists
    • Read DN from Active Directory, if exactly one result is returned then the account exists
  • Enable
    • If the user does not have an account create one
    • Clear the 2's bit on userAccountControl
  • Disable
    • Set the 2's bit on userAccountControl
  • Status
    • inactive = userAccountControl % 2 == 2, or account does not exist
    • active = userAccountControl % 2 == 0

Enable Account

Arguments: uid, data - password

Tests if the users account exists, and if it is active. If no account exists it is created. If the account is not active it is set to active. If no password is specified in the PSR data then a random password is assigned to the account. Other information is read from OpenLDAP and used to create the AD account. This may cause race conditions and a future version of this connector should allow all information to be passed in and use OpenLDAP only as a fallback.

Disable Account

Arguments: uid

If the account does not exist nothing is done and the connector reports success. If the account exists it is set to inactive.

Account Information

Arguments: None Exposed Attributes: 'objectClass', 'distinguishedName', 'whenCreated', 'status', 'displayName', 'sn', 'givenName', 'lastLogon', 'memberOf'

If the account exists a dictionary of status and some attributes from AD is returned. If the account does not exist just the status systems.NO_ACCOUNT is returned.

Update Account

ALERT! Partially implemented pending further discussion. UID must remain read-only, a list of valid attributes is used to prevent erroneous data from being written to active directory.

Arguments: uid, dictionary of attributes to update and their new values

Attributes to be updated are passed to this method via a dictionary. The value of each attribute is updated in active directory after a sanity check. Currently supported attributes are 'sn', 'givenName', 'displayName', and 'password'. The clear-text password is converted to a unicodepwd before being written to AD.

Wisdom

  • The idm server needs to trust stele (CA issuing server)
  • Copy the stele.cer certificate to /etc/pki/tls/certs
  • echo >> ca-bundle.crt && openssl x509 -inform pem -in stele.cer -text >> ca-bundle.crt
  • cert.pem below is a symlink to ca-bundle.crt
  • Add the following to /etc/openldap/ldap.conf 
TLS_REQCERT demand
TLS_CACERT /etc/pki/tls/cert.pem
End of topic
Skip to actions | Back to top
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r1 | More topic actions
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding tearsoffire.org? Send feedback