AD Auth on Oracle Portal Using Password Filters

Created 2007-01-17 / Edited 2007-01-17

We're becoming quite the Oracle shop at work. The accounting package we recently purchased actually encompasses a lot more than just ledgers -- it helps us track things such as individual projects. And it comes with all sorts of Oracle goodies, including Oracle Portal.

One thing that I'm working toward is a single username and password for everything. Programs will all ultimately depend on the Active Directory authentication for this, and most things already do (such as our DJabberd AD Authen setup). The Oracle Portal is one spot where this will be very useful... but after trying to integrate AD with Oracle's LDAP directly and failing (turns out there are some required pieces which our Oracle install lacks), I decided on a different route.

In comes the idea of using Microsoft's Password Filters. MS introduced a customizeable hook into their password-change chain so that more or less strict passwords can be enforced. So the "trick" is to insert an item into this filter chain which doesn't filter, but instead takes the new password and goes off changing the user's password in other systems. A back-door on purpose!

After thrashing around with my own C version of some C++ examples of doing this (mostly I had trouble with the unicode->ANSI conversion... so spoiled by Perl...), I finally remembered PasswdHK, a generic hook that just calls an external program. Perfect!

Tie that up with a little perl, wrapped and ready to distribute with PAR (which I had to modify a bit. I need to wrap up my mod and send it upstream...). Like magic, when users are set up or change their password they get all their Oracle Portal goodness.