[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using Active Directory encryption mechanism to authenticate user in OpenLDAP



Alain Dejoux wrote:

Hi,

I need to migrate a Active Directory PDC server to OpenLDAP. I have
resolved most problem but i am struggle on initial password migration. I
explain, i must retrieve all user password in AD and put them in
OpenLDAP. So users don't need to change password ( a mandatory customer
request :-/ ). I know how encode password in AD format but i search a
way for using this method in OpenLDAP.


It is possible to add a mechanism to OpenLDAP ? Or else someone  know a
best way to migrate password data from Active Directory ? I thought to
samba but i can only create a smbpasswd file with and that didn't change
my authentication problem.



Active Directory does not store users' plaintext passwords, so it is impossible to extract those. It stores a Kerberos key and possibly an NT hash of the users' passwords. pwdump2 can be used to extract the NT hash, I'm not aware of any way to extract the Kerberos key, and none of this is retrievable directly using LDAP.

Assuming that the NT hash will satisfy your need, OpenLDAP already supports this hash format as one of its password hash mechanisms, although it must be explicitly enabled at configure time. Also, the password hash mechanisms are dynamically loadable so you can certainly add new mechanisms if you need to.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support