Getting OpenLDAP to auth users against sambaNTPassword

Howard Chu hyc at
Thu Jun 19 09:25:21 GMT 2003

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at]

> Having looked again at the OpenLDAP archives I want to stress
> again that
> we:
>  - Do not have access to the original passwords
>  - Could not, even if we wanted to, store the plaintext (would rule us
> out of most organizations).
>  - We can't do an LDAP bind the authenticate the user, even to an
> NTLMSSP aware server.

OK, thanks for the refresher, this is beginning to make more sense.

> Furthermore, it would be *highly* advantageous if we could update the NT
> and LM passwords on user password changes, but I'm not holding my
> breath...

Let's assume that you have {NT} and {LANMAN} hashes stored in the entry. You
could explicitly store new hashes with LDAPModify, or you could write a
ModifyPwd plugin that takes a plaintext password and generates hashes for all
of the userPassword values. This would keep your Unix {CRYPT} users happy
too, I think.

> On the sanity point - what I really don't want is to write a doco that
> tells our admins to do this:
>  - Install (and configure Cyrus SASL)
>  - Configure it for PAM authentication.
>  - Configure PAM to use pam_winbind.
>  - Configure winbind with 'winbind use default domain = yes'.
>  - Configure Samba to use LDAP.
>  - Set the userPassword to '{SASL}x'.
>  - Hope the account Samba users doesn't ahve this set (loops).
>  - Pray that the chain doesn't fall apart....
> It *has* to be easier than this...


I should note that OpenLDAP 2.2 also provides an entry point for registering
new password mechanisms. So you can code up whatever "{SCHEME}data" mech you
want and dynamically load it into slapd. You can also dynamically load a
plugin to take care of the synchronization aspects, as Luke already
mentioned. OpenLDAP 2.2 will also have a native (non-SLAPI) plugin mechanism
that can do this job.

I think it would be worthwhile to implement a proper NTLM challenge-response
mechanism for SASL though, which operates from the hashes that are available
to you, and provides a sasl_setpassword entry point. There's nothing that
requires a SASL mechanism to use the userPassword attribute; the mech can
operate on any attribute it wants.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun     
  Symas: Premier OpenSource Development and Support

More information about the samba-technical mailing list