password API needed
Jean-Francois Micouleau
Jean-Francois.Micouleau at utc.fr
Tue May 12 18:34:02 GMT 1998
On Wed, 13 May 1998, Luke Kenneth Casson Leighton wrote:
> the password system you have (putting the password in clear-text) is
> unfortunately not sufficient. if we do one of the following:
you're right it's not sufficient, and there is something worse. The
communication between an ldap server and a client is in clear. So it
means when you have the ldap server on another machine than smbd you send
the password in 'clear-text' over the wire.
> - create an ldap database from a private/smbpasswd file
> - create an ldap database from an NT PDC SAM registry (the holy grail that
> really takes microsoft's biscuit - an NT -> Samba migration tool HAHA!)
> - add PDC / BDC replication, and support mixed NT / Samba PDC/BDC
> environments
>
> then we will need to put the 16 byte hashes in, not the plain-text
> password. this is because the plain-text password, in the above
> scenarios, will not be available.
You have to make the distinction between users and trusts accounts. If
people go for ldap, it's because they probably want to have a single
database to store password.
We have 2 solutions to store the password in encrypted form:
- follow luke howard rfc2037 and have 3 userPassword values by
entry:
userPassword:{crypt}unix's crypt password
userPassword:{lmHash}easy lmhashed password
userPassword:{ntHash}less easy but crackable nthashed password
or
- follow microsoft NT5 schema.
I'm reading their web schema def and the one coming with NT5 beta
1, and I'm lost.
looks like the DBCS-Pwd is used to store the lanman password and
they are storing the password in userPassword and in Unicode-Pwd
> so, if i add "ntPwdHash" and "lmPwdHash" to the ldap schema, you know why
> :-)
I don't like it, I prefer to follow RFC2037.
{lmHash} and {ntHash} are not define in the RFC, it's something I just
invented.
crypted password are better defined in ldap v3, but Umich slapd server is
ldap v2 only.
Jean Francois
-----------------------------------------------------------
Pinky: "What are we going to do tonight, Brain?"
Brain: "The same thing we do every night, Pinky :
try to install Windows NT !"
-----------------------------------------------------------
More information about the samba-technical
mailing list