With a password notification package, I can have Microsoft’s Active Directory (AD) call a custom made dynamic link library (DLL) whenever a user’s password is changed in the directory. The notification package (i.e. the DLL) contains up to three routines that are invoked by AD:

  • When the machine starts, InitializeChangeNotify() is invoked. This optional function can open necessary files, connections, etc.
  • Upon password change, PasswordFilter is called with the account’s name, the user’s full name and the proposed password in clear text. The function may inspect the password and returns a boolean value indicating whether it “accepts” the password. For instance, stringent password checking can take place in this function to ensure that only passwords which have a certain quality to them are set in AD.
  • When all the filter functions in the chain of notification packages (there may be more than one) have returned TRUE and AD actually commits the password, it invokes the optional PasswordChangeNotify function giving it the account’s name and the set password. Again, this is the clear text password.

The last function is effectively used to pass the changed credentials to Identity Management Systems (IDM). (Don’t forget to exclude computer accounts from those…) The DLL I’ve created (using MingW on Cygwin) uses the PasswordChangeNotify function to invoke a secure Web service, from which I synchronize the password with our OpenLDAP directory. The DLL could of course use LDAP operations to update the target directory, but I’m employing a Web service to be more flexible. For example, if desired I can easily add a synchronization to the Lotus Domino Internet password or to other systems, without having to change the DLL on the Active Directory domain controllers. Nice stuff. Simon has kindly (cough) “offered” (cough) to write the NSIS installer for the package, so we’ll be ready to deploy the package very soon. The installer will copy the DLL, set up client SSL/TLS certificates for it and create a couple of registry entries. The brunt of the synchronization proper will be done by the Web service, and I still have to complete (and thoroughly test) that.

LDAP, DomiNotes, Software, and Security :: 13 Sep 2008 :: e-mail