<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello Paul,<br>
<br>
on the Windows side the solution (password filter) seems to be
quite robust - it is possible to set up e.g. the how many times
the Windows server will try to contact SSOD daemon. <br>
You need to install <a
href="http://technet.microsoft.com/en-us/library/cc772571.aspx">Identity
Management for UNIX</a> (for Windows Server 2008 R2, Windows
Server 2012).<br>
<br>
In the attachment I send you the sources of a Java server that is
able to decrypt these password-change messages coming from Windows
host. <br>
<br>
Currently it only displays the password value (and checks the
signature if the message is authentic), e.g.<br>
<br>
[main] INFO ssod.Server - Listening on port 6677<br>
[main] INFO ssod.Server - <b>Username = a0, password = a123456</b><br>
[main] INFO ssod.Server - SigReceived size = 20, data = 78, 110,
68, 12, 124, 7, 82, 15, 81, 72, 83, -69, -107, -26, -13, 82, 78,
-28, 103, 103<br>
[main] INFO ssod.Server - SigExpected size = 20, data = 78, 110,
68, 12, 124, 7, 82, 15, 81, 72, 83, -69, -107, -26, -13, 82, 78,
-28, 103, 103<br>
[main] INFO ssod.Server - Match = true<br>
<br>
My code is highly experimental. I had only very limited time to
devote to it. It was tested against Windows Server 2008 R2.<br>
It should be enhanced e.g. to store the password to midPoint, to
do proper error handling, etc.<br>
Although I plan to do so, I don't know when I will have the time
to do that.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</div>
<blockquote
cite="mid:CAA3kSxXnQZ5KOKNx9vJN4ncf1d6J8TUz-mBibt3-1szg+2MeyA@mail.gmail.com"
type="cite">
<pre wrap="">Hi Pavol,
Your correct we wish to synchronise passwords from AD to midPoint (and
then on to other systems).
Can't say I've come across the Password Synchronization Single Sign On
Daemon (SSOD) before, if you have the source that would be good and
we'll take a look and see if this is a better solution. It certainly
has the advantage that we wouldn't need to maintain a password filter.
Regards
Paul
On 20 September 2013 08:48, Pavol Mederly <a class="moz-txt-link-rfc2396E" href="mailto:pavol.mederly@gmail.com"><pavol.mederly@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello Paul,
while having a look at the patch I've sent you ... what's the reason of
implementing the password filter, anyway? Is it because you need to
synchronize passwords from AD to midPoint?
If it is so, there is a prototype of such password synchronizer that we have
prepared in cooperation with people at Comenius University in Bratislava. It
uses standard Microsoft-supplied component, Password Synchronization Single
Sign On Daemon (SSOD), which is able to push password changes from Windows
host to any external box (Microsoft provides a Unix-side server). I've
implemented the receiver side as a Java TCP server. Although it currently
only decrypts password change notifications and prints password to the
console, it should be easy to change it to push passwords to midPoint via
local model Java API. If you would be interested in this, I could try to
find the sources ;)
Of course, we will try to solve the C# webservice issue as well. I've
created a jira for it: <a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-1603">https://jira.evolveum.com/browse/MID-1603</a>.
Best regards,
Pavol
</pre>
</blockquote>
</blockquote>
<br>
</body>
</html>