From: David Wright <ichbin@shadlen.org>
To: brian jones <bj_rui@hotmail.com>
CC: openldap-software@OpenLDAP.org
Subject: Re: windows authentication & openldap: explanation.
Date: Fri, 26 Jul 2002 14:51:47 -0700 (PDT)
How Unix authentication works:
1. Server (or /etc/passwd) stores a hashed password, e.g.
"{ROT-1}tfdsfu"
2. Client hands server the cleartext of the user input, e.g. "secret"
3. Server hashes the client user input and compares it with the stored
hased password. If they match, it returns TRUE.
How Windows authentication works:
1. Server stores cleartext of the password, e.g. "secret".
2. Server sends client a challenge, e.g. "abcdef".
3. Client hashes the client input and the challenge together, e.g.
"tgfvjz" and sends this response to the server.
4. Server hases the client input and the challenge together and compares
to the client's response. If they match, it retuns TRUE.
The Windows authentication has the advantage that the cleartext password
is never sent over the wire. It the the disadvantage that the server
must
store the cleartext password.
OpenLDAP is designed to store hashed passwords, as is the Unix
tradition.
Since Windows authentication would require storing cleartext passwords,
OpenLDAP doesn't implement the challenge/response model of Windows
authentication.
You can get around this limitation. You can store a hashed password
in the
userPassword attribute and have your Unix clients authenticate off it
via
LDAP. You can also store a cleartext password in the smbPassword
attribute
and tell Samba to get passwords from LDAP. Samba implements the Windows
challenge/response model and your Windows clients can authenticate
off it.
You then need to do some scheming to make sure that the userPassword and
smbPassword attributes stay in sync.
That answer you question?