Re: AD -> OpenLDAP sync and userPassword crypt

[Buchan Milne <bgmilne@obsidian.co.za>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Geoff Silver wrote:
> Two questions in one.  First, I'm trying to figure out how difficult it
> will be to set up Active Directory on W2K to replicate its data to
> OpenLDAP.

Surely a proxy-cache would be a better option.

>  All we really need replicated is enough to build out
> /etc/passwd, /etc/shadow, and /etc/group files.  I suspect the difficult
> part is getting the password out of SAM and into OpenLDAP in crypted
> form, though I'm guessing someone out there has done this.

AFAIK, you can't. The password hash used by Windows is incompatible, the
only way to convert would be brute-force.

> Second, I need to dump the OpenLDAP data into /etc/passwd,shadow,group
> files on some AIX systems.  PAM is a poor choice because connectivity is
> going to be an issue, and we're looking at roughly 200 remote sites with
> limited bandwidth.  The goal is to dump the relevant data about once per
> day, but the tricky part is dumping the userPassword hash in a format
> which the OS can understand.  I *suspect* {crypt} form will "just work",
> though I'm wondering if anyone can confirm or deny that

I don't think this is a viable strategy.

> (if not, does
> anyone have a good solution - cleartext in LDAP salted to a crypt hash?)

nss_updatedb, nss_ldap and nss_updatedb?

OpenLDAP proxy cache?

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCKBl1rJK6UGDSBKcRAvpdAJ9PqreYTdXQWu0MqXh4RfuQWrHGQQCeJvfi
OndYVJhpD4bAuOKfEK1AERU=
=6EjS
-----END PGP SIGNATURE-----