Slashdot Mirror

← Back to Stories (view on slashdot.org)

Synchronizing Forced Password Changes?

Posted by Cliff on from the decentralized-password-maintenance dept.

aroobie asks: "I have several different types of servers running at my small office including Windows 2000 Advanced Server, VMS, IRIX, and Linux. My corporate parent wants to force passwords to change every 90 days, which is a good thing, but once a user changes his/her Windows password access to the other servers is denied until I make appropriate changes on the non-Windows servers. Sort of defeats the purpose of changing the password since each users has to give me their new password to make them match on on the servers. Has anyone found a way to synchronize passwords on different systems? Is there software available to do this?"

8 of 51 comments (clear)

  1. winbind by dago · · Score: 5, Informative
    winbind may be a possible solution : your unix boxes authenticate to the NT domain

    Winbind is an nss switch module to map Windows NT Domain databases to Unix.

    In combination with Samba and pam_ntdom, a Unix box will be able to integrate straight into a full Windows NT Domain environment, without needing a Unix Account database.

    Use of pam modules (pam_smb, pam_ntdom) also works (on pam systems like linux or solaris) very well.

    --
    #include "coucou.h"
  2. MS utils for synchronizing with other systems by fluor2 · · Score: 5, Informative

    Microsoft actually made a program that syncs with Novell passwords. (Here). For Unix, use this link for finding more information. Especially this and this.

  3. LDAP by retards · · Score: 1, Informative

    Couldn't you use LDAP as a centralized authentication service? I think that's the way we're going at work with our Windows/*nix password synchronization.

    1. Re:LDAP by velkro · · Score: 2, Informative

      Works good here. Novell's eDirectory has a pwdsyunc module available to sync info/passwords with Active Directory too.

      Linux, Lotus, MS, Nortel products all happy, as well as internal apps too.

  4. related : Lucent's secstore / factotum by DrSkwid · · Score: 3, Informative

    single secure sign-on for multiple domains

    here
    or
    [pdf]

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  5. LDAP, of course. by -dsr- · · Score: 4, Informative

    Just run a central LDAP server. Everything you've mentioned can authenticate from LDAP. For details, just Google for LDAP and the OS name and "password".

  6. pam/nss_ldap from padl.com by Pointer80 · · Score: 5, Informative

    I'm not too familiar with VMS, but Linux can and IRIX might (not support is mentioned for it) be able to use the pam_ldap/nss_ldap modules from padl.com to authenticate against Active Directory. IIRC, this requires SFU, but I could be wrong. There is a document about it in the tarball for nss_ldap.

    Here's some links to Linux/AD integration from padl.com's doc section:

    Active Directory and Linux

    Linux-AD Integration

    Active Directory and nss_ldap

    /pointer

    --
    [%- PROCESS life -%]
  7. MS API for this is documented by Krelnik · · Score: 5, Informative
    FWIW, these tools that Microsoft provides (see excellent links in parent message) are actually built on a Windows API that is publicly documented (see "password filter") and they even offer free sample source code.

    So if you have some home-grown system you need to sync with, or you just like to roll your own solutions, you can do it. Essentially there is a DLL you load on the server that gets called every time a password is changed. It can then approve or deny the change, but more importantly since it sees the password it can do the sync. This is how the PASSFILT.DLL is implemented as well as the Novell and Unix solutions mentioned in the parent of this post.