Mailing List CGatePro@mail.stalker.com Message #92417
From: Thom O'Connor <thom@communigate.com>
Subject: Re: authLDAPNew2.pl with AD
Date: Fri, 31 Aug 2007 21:17:58 -0700
To: <cgatepro@communigate.com>
From:   "Eric Chamberlain"
>> -----Original Message----- Behalf Of Thom O'Connor Another
>> possibility is to figure out how to "automatically" copy or
>> replicate the user's plain-text (or obfuscated but not encrypted)
>> password in Active Directory into a second custom attribute in
>> Active Directory - for example, create a custom attribute in Active
>> Directory called "userPassword", and have this attribute filled by
>> the user's new password automatically whenever a user modifies
>> their password. Then, configure authLDAPNew2.pl to simply retrieve
>> this alternate field. This would probably require some
>> domain-controller-level scripting on the AD side of thing, and
>> again - not being AD experts - we welcome any thoughts on this.
>>
>
> I explored this in a past life, when I was managing a 60,000 user AD
> forest.
>
> The easiest way to get at the raw password in a Windows Domain is to
> write a custom password filter
> <http://msdn2.microsoft.com/en-us/library/ms721882.aspx>. The filter
> plugs into the Domain Controller LSA process and would save the raw
> password into another LDAP attribute.
>
> This method doesn't require a change in user behavior or hacking core
> Windows files. The filter dll can even be managed and deployed to
> each Domain Controller via Group Policies.


Yes, that seems very workable. The DLL function is here:

http://msdn2.microsoft.com/en-us/library/ms721876.aspx
> PasswordChangeNotify
> The PasswordChangeNotify function is implemented by a password filter
> DLL. It is used to notify the DLL that a password was changed.
>
> NTSTATUS PasswordChangeNotify(
>   PUNICODE_STRING UserName,
>   ULONG RelativeId,
>   PUNICODE_STRING NewPassword
> );
>
> Parameters
> UserName
>     [in] Account name of the user whose password changed.
> RelativeId
>     [in] Relative identifier (RID) of the user specified in UserName.
> NewPassword
>     [in] New plaintext password for the user specified in UserName. When
> you have finished using the password, clear the information by calling
> the SecureZeroMemory function. For more information about protecting
> passwords, see Handling Passwords.


And there are Online References and examples around:

ftp://ftp.gue-tech.org/pub/windows/nt40/patch_matrix.sp4/kb/Q151082.html
http://www.devx.com/security/Article/21522/1954?pf=true
http://www.epokh.org/articles/PasswordFilters/PasswordFilters.html
http://www.experts-exchange.com/Programming/Languages/C/Q_21877640.html


All this DLL should need to do is copy (or ldap modify) it plain-text or
Base64 encoded into a separate attribute in AD - "userPassword" would
seem ideal for this and with any luck would even already be in the MS
schema. Anyone up to writing this? Cheers,
 -thom
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster