LDAP Account Synchronization Project

Alias: LDAP Account Sync, AcctSync

    The LDAP Account Sync Project's goal is create a user and group account system synchronized between Windows and UNIX Systems.  This is not authorization, but rather synchronization of the account information and passwords.

   A number of other ways to do single-login authentication already exist:
  What advantage does the LDAP Account Synchronization Project have over the other single account systems?  Well, it depends.  The reason for this project is to create an open source account system to work with existing account systems (OpenLDAP and Windows Active Directory).  By doing this method, it can allow flexibility between the differences in the Windows and UNIX administration tasks.  Review your requirements to see which method suits the solution.

Project Goals

   The account synchronization consist of three key areas, each area is divided into two parts.  
   The project will produce each of the six components mentioned above.  The main language of implementation will be PERL, due to it's cross-platform support, availability, and support in OpenLDAP's back-perl backend.   Any modifications to OpenLDAP will be in C.  At least one part, "2a - user password modifications from Windows->LDAP" will require a Windows password filter DLL, and that will have to be done in MSVC++.

   A NT/2000 password filter dll updates the OpenLDAP Directory Server when a NT/2000 user changes her/his password on any machine in the NT/2000 domain.   The back-perl OpenLDAP backend ( iPlanet® uses their plugin API ) is used on both the NT/2000 server and on the main OpenLDAP server ( if they are different ) to modify NT/2000 accounts when accounts are modified in the directory, or vice-versa.

   Also, this method allows the authentication services on all operating systems to remain "intact" ie. no use of third party authentication modules, eg. PAM modules ( UNIX ) or GINA modules ( Windows ) that are not from the OS vender.

  With the account sync scenario, a site can have all user account information, including valid passwords, in one location, the LDAP server, allowing it to reuse that server for applications requiring LDAP as an authentication service.   Various other authentication scenarios, although use LDAP, still require giving up valid user passwords in the LDAP server, as the user passwords are stored elsewhere.

More information on what acctsync does...

Figure 1. A sample network configuration.

Account sync diagram 1


The components below make up the LDAP Account Sync Project:
Projects downloads and communication
    See the sourceforge project summary page at https://sourceforge.net/projects/acctsync/ for project files and more information on CVS, etc.  

    Communication will be done on the two mailing lists, acctsync-devel at https://lists.sourceforge.net/lists/listinfo/acctsync-devel   for developers working on the acctsync project, and acctsync-general at https://lists.sourceforge.net/lists/listinfo/acctsync-general for users and other people requiring general information on the acctsync project.

Project Status
Redesigned the web site layout.  Hopefully it describes the project better.  Also, a new version of OpenLDAP and acctSync is in the works.

Screenshot of the passwdHk-config utility. This utility configures the behavior of the passwdHk password synchronization DLL used to transmit the modified windows passwords over to the LDAP server. The DLL is configured via the registry.

OpenLDAP binaries for the 2.1.3 release are now available on the project page at http://sourceforge.net/projects/acctsync. The binaries were built with OpenSSL 0.9.6d, Berkeley DB 4.0.14, and ActiveState Perl 5.6.1.

acctSync.pm and acctSyncAccount.schema are in CVS. acctSync.pm is the perl module that OpenLDAP Perl backend loads to process the user modification requests. I am waiting for an official OID number which I expect to arrive any day now.

The current patch has been added to the OpenLDAP CVS source code repository.  Therefore I wil not be posting any more patches.  The back-perl backend should now compile on win32 using OpenLDAP from CVS.

I have been working on a PERL OpenLDAP extension to simplify writing PERL scripts that use the OpenLDAP libraries.  The project is ldapperl, it's derived from perldap http://www.perldap.org/ and can be found at http://ldapperl.sourceforge.net/ .  The goal is to more closely export the OpenLDAP C and C++ APIs as a PERL extension.

The current patch for OpenLDAP+back-perl on win32 can be found at http://prdownloads.sourceforge.net/acctsync/back-perl.win32.current.patch.gz .  This patch should apply cleanly against current OpenLDAP CVS HEAD branch.  Note CVS changes significantly in short periods of time.

I have been told that this patch will eventually be applied in OpenLDAP CVS but with no date guarantee.  Do not use the older patches, this one fixed all the issues I had ran into at the time I uploaded it.  

After applying the patch you must
  1. #define HAVE_SLAPD_PERL and HAVE_WIN32_ASPERL in the ldap/include/portable.nt file.
  2. Import the back-perl project into your OpenLDAP workspace.
  3. Add back-perl as a dependency of slapd project.
  4. Add the 'perl56.lib' as a library dependency to slapd.
  5. Modify your library and include directory paths to reflect where you have your perl/lib/CORE directory.
  6. Last two steps also have to be done for other executables eg. slapadd, etc.
If you have any problems feel free to drop a note on the list at https://lists.sourceforge.net/lists/listinfo/acctsync-general .

Update of "Password Hook DLL" now available from the sourceforge summary page.  It now includes, registry entries for all of the configuration options, supports logging, create process flags, wait timing.  Also included is a driver program to load the DLL during testing, to execute the functions.  This version, though still considered alpha works well for me.  Security and memory audits are next.

Uploaded the alpha source for a password filter I am working on.  "Password Hook DLL" is a NT password filter that takes the user's password and then passes it to a script registered in the registry.  The DLL thus is effectively a generic password filter.  This is a different approach from Osama Dengler's password filter which makes the LDAP calls directly to the LDAP server.

This very alpha code reliabley crashes windows 2000, but hopefully that'll change soon.  The code can be downloaded from the sourceforge summary page at https://sourceforge.net/projects/acctsync/

Building OpenLDAP on win32 system
I am planning to put up detailed instructions on this in the future but for now here are some pointers.
  1. Go through the OpenLDAP FAQ .  Specifically the win32 notes in the developer section .
  2. See the FiveSight win32 OpenLDAP page for more information.
  3. Search the OpenLDAP mailing-list archive for questions previously answered.
  1. OpenLDAP - http://www.openldap.org/
  2. PERL - http://www.perl.com/
  3. ActiveState Win32 Perl - http://www.activestate.com/Products/ActivePerl/
  4. LDAP User Manager Project - http://ldapusrmgr.sourceforge.net/
  5. MS-Windows password filters - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/password_filter_reference.asp
SourceForge Rules!! SourceForge Logo

Developed at Florida Tech Florida Tech Logo

For more information email Curtis Robinson, crobinso.at.fit.edu or acctsync-general .
Last Modified by Curtis Robinson on 10/01/03