From: Kartik Subbarao <kartik_subba...@hp.com>
Subject: NT pass-through plugin code released on SourceForge
Date: Mon, 20 Aug 2001 13:03:22 -0400
Organization: Another Netscape Collabra Server User
Content-Type: text/plain; charset=us-ascii; format=flowed
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010803
We're happy to announce version 1.0 of an NT authentication plugin for
iPlanet Directory Server running on Linux and HP-UX. This plugin allows
you to leverage an existing NT domain infrastructure for LDAP
pass-through authentication, saving you the trouble of managing or
synchronizing individual userPassword attributes for each user.
For more information on how the plugin works, see below. You can
download the plugin at:
The main project page is:
The code is licensed under the GPL.
We're eager to get feedback, and welcome anyone who is interested in
participating to join the project.
Neil Dunbar and Kartik Subbarao
How it works
To illustrate how the plugin works, take the following excerpts from two
entries in an LDAP Directory:
dn: uid=neil_dun...@hp.com, ou=Employees, o=hp.com
cn: Neil Dunbar
dn: uid=kartik_subba...@hp.com, ou=Employees, o=hp.com
cn: Kartik Subbarao
When Neil Dunbar binds to the LDAP server with his distinguished name
and password, an authentication request is sent to a domain controller
for the EUROPE1 domain. This request attempts to authenticate the user
"nd" using the password in the LDAP bind request. If the domain
controller replies with a successful response, the bind is allowed,
otherwise it is rejected.
Similarly, when Kartik Subbarao binds to the LDAP server with his
distinguished name and password, a request is sent to a domain
controller for the ATLANTA2 domain to authenticate the user kssu in the
Currently, the plugin is written for iPlanet's Directory Server product.
We are looking at porting it to OpenLDAP as well. The plugin has been
tested extensively on Linux and HP-UX, and is likely to run on most
other Unix platforms as well. As a security measure, binds are only
accepted on port 636 (the standard LDAP/SSL port).