ldap lpPassword and ntPassword fields

Allen Reese allen at driversoft.com
Tue Dec 15 20:06:56 GMT 1998

On Wed, 16 Dec 1998, Jean Francois Micouleau wrote:

> On Wed, 16 Dec 1998, Matthew Chapman wrote:
> > Yep, ok, but some people will want to point Samba at existing LDAP servers
> > somewhere else. If you recommend replicating to a local LDAP server than
> > the replication happens in the clear which isn't nice either...
> I agree. BTW, replication is more to off-load an LDAP server when reading
> entries. Because when you modify a record it's always on the main LDAP
> server.
> For people using LDAP servers only compliant to the version 2 protocol,
> the datas are transmitted in clear text form.
> LDAP protocol version 3 include some crypting solutions based on SSL/TLS
>  IIRC.
Yep it does.

You use SASL to get the authentication credentials, then you can use those
creds to authenticate and startup a SSL/TLS/Kerebos connection.

What would be really nice, is being able to say authenticate using ldap,
and possibly get a Secure connection out of that which other protocols can
run over.  ;)

This could be done with a wrapper, like ssh does.  You run the security
provider as a service, then the client box will talk over this layer
without knowing it's there.
So say ports 137,138,139 would be rerouted through the security service
then out to the server through the security service then back to 137,138,
or 139.

make sense?  I hope so, I am currently working on architecting something
like this for an LDAP library I am writing.

> > Seeing many people are happy with registry hacks to enable
> > totally cleartext passwords (not even hashes), I don't think this is such
> > a big issue. But it's certainly something I would like to look into
> > improving at some point.
> Yep.

This would also work just fine.  ;)

More information about the samba-technical mailing list