[Date Prev][Date Next] [Chronological] [Thread] [Top]

NT/LM hash support for OpenLDAP



Hello all,

I worked out my db dependency problem so things compile now. I've been
working on cleaning up the LANMAN hash support and adding NTLM support, and
have what I believe to be a working (yet untested) LANMAN/NTLM aware
OpenLDAP up and running. Why might I want to do that? It's the hash
generation I'm after as I'd really like to be able to feed all password
updates through PAM (via passwd and samba mostly), which uses the exop
functionality to update the various hashes (specifically NT, LM, and one of
the MD5/SHA1 hashes). Ideally I'd be able to store a couple of different
hashes - 'modern' hashes for Linux/*BSD, crypt hashes for older/proprietary
Unix, NT/LM for Windows, and possibly even plain text for CRAM-MD5 etc. I
suspect this is what authPassword is for.

Anyway, I'm hoping I'm not wasting my time as no doubt there are those
among us who would rather not pollute OpenLDAP with things like NTLM
hashes, NT ACLs, etc. Then again LANMAN's already implemented... and it
doesn't get much worse than that :-)

Some questions:

Are LANMAN and NTLM suitable scheme names? I'd rather come up with
something suitable now than cause extra confusion by using X-THING now (or
OIDs).

Does anyone have a problem with adding the following to schema_prep.c
(courtesy jerry@samba.org, according to the enterprise number)?
attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
        DESC 'LanManager Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
        DESC 'NT Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

Is there a better way to implement the exops in the backends - I've only
had a quick look but it seems they're fairly manual (start transaction, get
entry, etc.) where I'd probably rather be putting the code for each hash in
one place and calling backend specific update functions.

Does support for authPassword exist yet? How would it be supported? I guess
the password-hash setting in slapd.conf would have to accept multiple
schemes, and a hash would be generated for each scheme listed. Checking
code would need to be updated too.

-- 
Sam Johnston
Australian Online Solutions
1300 132 809