[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: AD -> OpenLDAP sync and userPassword crypt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Geoff Silver wrote:
> Two questions in one. First, I'm trying to figure out how difficult it
> will be to set up Active Directory on W2K to replicate its data to
> OpenLDAP.
Surely a proxy-cache would be a better option.
> All we really need replicated is enough to build out
> /etc/passwd, /etc/shadow, and /etc/group files. I suspect the difficult
> part is getting the password out of SAM and into OpenLDAP in crypted
> form, though I'm guessing someone out there has done this.
AFAIK, you can't. The password hash used by Windows is incompatible, the
only way to convert would be brute-force.
> Second, I need to dump the OpenLDAP data into /etc/passwd,shadow,group
> files on some AIX systems. PAM is a poor choice because connectivity is
> going to be an issue, and we're looking at roughly 200 remote sites with
> limited bandwidth. The goal is to dump the relevant data about once per
> day, but the tricky part is dumping the userPassword hash in a format
> which the OS can understand. I *suspect* {crypt} form will "just work",
> though I'm wondering if anyone can confirm or deny that
I don't think this is a viable strategy.
> (if not, does
> anyone have a good solution - cleartext in LDAP salted to a crypt hash?)
nss_updatedb, nss_ldap and nss_updatedb?
OpenLDAP proxy cache?
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCKBl1rJK6UGDSBKcRAvpdAJ9PqreYTdXQWu0MqXh4RfuQWrHGQQCeJvfi
OndYVJhpD4bAuOKfEK1AERU=
=6EjS
-----END PGP SIGNATURE-----