Getting OpenLDAP to auth users against sambaNTPassword

Andrew Bartlett abartlet at
Thu Jun 19 06:10:48 GMT 2003

(resending, now I'm subscribed to OpenLDAP-devel...)

As an OpenLDAP user, and Samba developer, I'm hoping we can come to some
solution to this problem:

Samba users are forced to keep two different passwords in their
directory, when just one would do.  OpenLDAP is not doing
challenge-response authentication, and does not need the plaintext
password (for simple and PLAIN binds, at least).

I note with interest that there is a {LANMAN} password type available
for the userPassword attribute, but this does not quite meet the
requirements - for one thing it is case *INSENSITIVE*, which makes the
whole thing much weaker.  Secondly, it's on the wrong attribute...  

(Samba does not update this attribute, only it's own attributes).

Would it be possible to resolve this situation, for all our admins

I would propose (for want a better solution) a value of
{NTPASSWORD}sambaNTpassword to tell OpenLDAP to look at Samba's
attribute for the user's password.

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list