Getting OpenLDAP to auth users against sambaNTPassword
Howard Chu
hyc at highlandsun.com
Thu Jun 19 07:23:42 GMT 2003
This thread seems to be arriving out-of-order, so I'm a bit confused on the
context. The thread appears out of order on the samba.org mailing list
archives as well.
Since there's already plenty to do, first I'd like to understand why using
the SASL NTLM mechanism won't work. In looking at cyrus/sasl/plugins/ntlm.c,
this appears to use a plaintext userPassword, like most of the other SASL
mechs.
Using a scheme like '{NTPASSWORD}sambaNTpassword' isn't really practical with
the current password check/hash mechanism; the password functions aren't
given any context about the DN or entry being authenticated. As such, there
isn't enough info to specify which entry's sambaNTpassword to retrieve. And
also, the passwd library has no API to perform the retrieval, short of
issuing its own ldapsearch().
If it were just a matter of fixing the case sensitivity issue in the {LANMAN}
mech, that would be OK. But Andrew mentioned something about needing to
extract a session key from the handshake - it would seem that none of these
simple password mechs would accomodate this requirement.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-devel at OpenLDAP.org
> [mailto:owner-openldap-devel at OpenLDAP.org]On Behalf Of Luke Howard
> Another option, at least for OpenLDAP 2.2, is to write a SLAPI pre-
> operation bind plugin that performs the necessary authentication.
More information about the samba-technical
mailing list