[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: AD -> OpenLDAP sync and userPassword crypt
Geoff Silver wrote:
Two questions in one. First, I'm trying to figure out how difficult
it will be to set up Active Directory on W2K to replicate its data to
OpenLDAP. All we really need replicated is enough to build out
/etc/passwd, /etc/shadow, and /etc/group files. I suspect the
difficult part is getting the password out of SAM and into OpenLDAP in
crypted form, though I'm guessing someone out there has done this.
Symas has a module which allows OpenLDAP to directly use Windows NTLM
hashes as listed by pwdump. It's available as part of our Connexitor
Directory Services.
Second, I need to dump the OpenLDAP data into /etc/passwd,shadow,group
files on some AIX systems.
Symas' Connexitor EMS can do this. It puts an LDAP interface on top of
these (and many other) system files. (I.e., it installs an LDAP server
whose database is backed by the host's native security files instead of
some other database manager. On Unix it is backed by
/etc/passwd,shadow,group, etc... On Windows it is backed by the SAM.)
With this product you can manage a variety of platforms from a central
OpenLDAP server and use regular LDAP replication to keep all of the
systems synchronized. Note that AIX is a bit different from most Unix
systems, and its account database is quite complex. Connexitor EMS
handles all of its attributes properly.
PAM is a poor choice
In general, yes.
because connectivity is going to be an issue, and we're looking at
roughly 200 remote sites with limited bandwidth. The goal is to dump
the relevant data about once per day, but the tricky part is dumping
the userPassword hash in a format which the OS can understand. I
*suspect* {crypt} form will "just work", though I'm wondering if
anyone can confirm or deny that
Yes, regular DES crypt will work. Of course there is no way to use the
Windows hashes mentioned above for /etc/passwd, and short of running
l0phtcrack for some number of hours, no way to reverse the Windows
hashes back into cleartext.
(if not, does anyone have a good solution - cleartext in LDAP salted
to a crypt hash?)
That would give you the most flexibility. Alternatively, as long as your
master database is an OpenLDAP 2.2 server, you can maintain multiple
hashes on the server and replicate just the relevant values to each
slave. Perform all password management on the central OpenLDAP server,
storing crypt and NTLM hashes in parallel. We've set this arrangement up
for many of our customers. Also with Connexitor EMS you have the option
of propagating updates in realtime, rather than dumping once/day. This
ability can be crucial when you need to quickly deactivate all the
accounts for a particular user.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support