Mailing List CGatePro@mail.stalker.com Message #92416
From: Eric Chamberlain <eric@voxilla.com>
Subject: RE: authLDAPNew2.pl with AD
Date: Fri, 31 Aug 2007 17:08:41 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.5/1.2.12
> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Thom O'Connor
> Sent: Friday, August 31, 2007 4:37 PM
> To: CommuniGate Pro Discussions
> Subject: Re: authLDAPNew2.pl with AD
>
>
> Another possibility is to figure out how to "automatically" copy or
> replicate the user's plain-text (or obfuscated but not encrypted)
> password in Active Directory into a second custom attribute in Active
> Directory - for example, create a custom attribute in Active Directory
> called "userPassword", and have this attribute filled by the user's new
> password automatically whenever a user modifies their password. Then,
> configure authLDAPNew2.pl to simply retrieve this alternate field. This
> would probably require some domain-controller-level scripting on the AD
> side of thing, and again - not being AD experts - we welcome any
> thoughts on this.
>

I explored this in a past life, when I was managing a 60,000 user AD forest.

The easiest way to get at the raw password in a Windows Domain is to write a custom password filter <http://msdn2.microsoft.com/en-us/library/ms721882.aspx>.  The filter plugs into the Domain Controller LSA process and would save the raw password into another LDAP attribute.  

This method doesn't require a change in user behavior or hacking core Windows files.  The filter dll can even be managed and deployed to each Domain Controller via Group Policies.

--
Eric Chamberlain, CISSP
Voxilla




Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster