[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Getting OpenLDAP to auth users against sambaNTPassword

To: Jonghyuk Choi <jongchoi@us.ibm.com>
Subject: RE: Getting OpenLDAP to auth users against sambaNTPassword
From: Andrew Bartlett <abartlet@samba.org>
Date: 20 Jun 2003 07:57:20 +1000
Cc: abartlet@samba.org, hyc@highlandsun.com, openldap-devel@OpenLDAP.org, Multiple recipients of list SAMBA-TECHNICAL <samba-technical@samba.org>
In-reply-to: <OF6B517697.AAA72265-ON85256D4A.006A0FD9-85256D4A.0071D053@us.ibm.com>
References: <OF6B517697.AAA72265-ON85256D4A.006A0FD9-85256D4A.0071D053@us.ibm.com>

On Fri, 2003-06-20 at 06:43, Jonghyuk Choi wrote:
> >Except that is modifying to client to satisfy the server - and I'm not
> >sure that solves our problem.  If I wanted to modify the client, I would
> >run pam_winbind - that also works out of the box.  But that's not the
> >solution I'm looking for, and for LDAP to use it, we have the mess I
> >described. 
> >
> >We need a solution that works for the simple bind.  Then we can look at
> >'secure' alternatives.
> 
> Hi. I also have been following this thread.
> 
> If the intent is to use simple bind, client changes don't seem necessary.
> As Howard pointed out, {LM|NT} schemes can be added with a libutil 
> backport
> to OpenLDAP 2.1 from CVS. 
> 
> The synchronization issue can be solved by a plugin or by a proxy.
> sambaLMPassword attribute can be synced to the userPassword
> attribute either before bind or after password modification.

Except that we can't put the plaintext or {CRYPT} value there, so we are
back to {LM|NT} schemes, which seem to have other issues, like the fact
that we have other hash types we would be interfere with.

I really don't think asking our admins to setup an OpenLDAP proxy
installation is viable...  

> Another option is to use back-ldap, as SLAPI is not supported in OpenLDAP 
> 2.1.
> Entries in the native backend have userPassword attribute and is shown to
> the client with the sambaLMPassword attribute instead of it through the 
> mapping
> capability of back-ldap. The mapping works at both read and write.
> (In fact, when I've been searching the OpenLDAP archive, I found a short 
> discussion
> on the attribute level aliasing, but couldn't find followups. Anybody 
> knows the status ?)
> 
> - Jong
> 
> ------------------------
> Jong Hyuk Choi
> IBM Thomas J. Watson Research Center - Enterprise Linux Group
> P. O. Box 218, Yorktown Heights, NY 10598
> email: jongchoi@us.ibm.com
> (phone) 914-945-3979    (fax) 914-945-4425   TL: 862-3979
-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- RE: Getting OpenLDAP to auth users against sambaNTPassword
  - From: Jonghyuk Choi <jongchoi@us.ibm.com>

Prev by Date: Re: Getting OpenLDAP to auth users against sambaNTPassword
Next by Date: Description of debug-level in slapd(8)
Index(es):
- Chronological
- Thread