Getting OpenLDAP to auth users against sambaNTPassword

Howard Chu hyc at
Thu Jun 19 07:23:42 GMT 2003

This thread seems to be arriving out-of-order, so I'm a bit confused on the
context. The thread appears out of order on the mailing list
archives as well.

Since there's already plenty to do, first I'd like to understand why using
the SASL NTLM mechanism won't work. In looking at cyrus/sasl/plugins/ntlm.c,
this appears to use a plaintext userPassword, like most of the other SASL

Using a scheme like '{NTPASSWORD}sambaNTpassword' isn't really practical with
the current password check/hash mechanism; the password functions aren't
given any context about the DN or entry being authenticated. As such, there
isn't enough info to specify which entry's sambaNTpassword to retrieve. And
also, the passwd library has no API to perform the retrieval, short of
issuing its own ldapsearch().

If it were just a matter of fixing the case sensitivity issue in the {LANMAN}
mech, that would be OK. But Andrew mentioned something about needing to
extract a session key from the handshake - it would seem that none of these
simple password mechs would accomodate this requirement.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun     
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-devel at
> [mailto:owner-openldap-devel at]On Behalf Of Luke Howard

> Another option, at least for OpenLDAP 2.2, is to write a SLAPI pre-
> operation bind plugin that performs the necessary authentication.

More information about the samba-technical mailing list