With a password notification package, I can have Microsoft’s Active Directory (AD) call a custom made dynamic link library (DLL) whenever a user’s password is changed in the directory. The notification package (i.e. the DLL) contains up to three routines that are invoked by AD:
- When the machine starts,
InitializeChangeNotify()is invoked. This optional function can open necessary files, connections, etc.
- Upon password change,
PasswordFilteris called with the account’s name, the user’s full name and the proposed password in clear text. The function may inspect the password and returns a boolean value indicating whether it “accepts” the password. For instance, stringent password checking can take place in this function to ensure that only passwords which have a certain quality to them are set in AD.
- When all the filter functions in the chain of notification packages (there may be more than one) have returned
TRUEand AD actually commits the password, it invokes the optional
PasswordChangeNotifyfunction giving it the account’s name and the set password. Again, this is the clear text password.
The last function is effectively used to pass the changed credentials to
Identity Management Systems (IDM). (Don’t forget to exclude computer accounts
from those…) The DLL I’ve created (using MingW on Cygwin) uses the
PasswordChangeNotify function to invoke a secure Web service, from which I
synchronize the password with our OpenLDAP directory. The DLL
could of course use LDAP operations to update the target directory, but I’m
employing a Web service to be more flexible. For example, if desired I can
easily add a synchronization to the Lotus Domino Internet password or to other
systems, without having to change the DLL on the Active Directory domain
controllers. Nice stuff. Simon has kindly (cough) “offered” (cough) to write
the NSIS installer for the package, so we’ll be ready to deploy the
package very soon. The installer will copy the DLL, set up client SSL/TLS
certificates for it and create a couple of registry entries. The brunt of the
synchronization proper will be done by the Web service, and I still have to
complete (and thoroughly test) that.