The Directory Server NT Authentication Module offers a plugin that permits LDAP authentication using an NT domain account.
To ensure maximum security, the daemon only listens on localhost, preventing the exposure of credentials over the network. Additionally, it runs without root permissions, limiting compromise in case of a breach. The module tries to locate all domain controllers for an arbitrary domain, ensuring that the authentication process doesn't fail if one DC goes down, unless there's no DC that accepts the credential.
This release comes with a minor change - a new parameter in ntauth-config.txt named "null_password_fail." When set to a non-zero value, this parameter generates "INVALID CREDENTIALS" upon password bind with a non-NULL dn and a NULL password. By default, the parameter is switched off, silently assigning the anonymous identity to the post bind LDAP session, which is correct according to the LDAP specification.
Overall, the Directory Server NT Authentication Module is an excellent plugin that adds an extra layer of security to LDAP authentication. The two-part project is straightforward and easy to use, and the recent minor change only makes it better.
Version 2.0.3: N/A