NT/UNIX password synchronization, using LDAP for pasword store.
Phil Mayers
p.mayers at ic.ac.uk
Sat Feb 19 12:49:34 GMT 2000
A caveat - then the passwd program string (including the bind DN command
line argument and password) will be in the smb.conf file (which is world
readable). It's best to have a simple root-only access shell script
which does it...
Unfortunately, I then couldn't get ldappasswd to take the password on
stdin - it always tried to open a terminal. I ended up hacking this
together:
#!/usr/bin/perl -w
$user=$ARGV[0];
$pass=<STDIN>;
chomp $pass;
$salt=join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];
$pass=crypt($pass,$salt);
$FILE="|ldapmodify -D 'cn=root, dc=house, dc=net' -w R1ch26";
open FILE or die;
print FILE <<EOF;
dn: uid=$user, ou=People, ou=DS, dc=house, dc=net
changetype: modify
replace: userPassword
userPassword: {crypt}$pass
EOF
close FILE;
exit 0;
Cheers,
Phil
Luke Howard wrote:
>
> >This is fundamentally the same issue as the unix passwd sync
> >parameter. The new password is receiv4ed in the clear (actually
> >not, but it is decrytable). The old password is not available.
> >You can probably just use a custom "password program" setting
> >and get it to work.
>
> That should work with OpenLDAP's ldappasswd, a matter of
> setting the bind DN correctly. It would be less of a hack
> to have the ldapdb code in nt5ldap update this itself,
> though.
>
> -- Luke
> --
> Luke Howard
> PADL Software Pty Ltd
> http://www.padl.com
More information about the samba-ntdom
mailing list