Getting OpenLDAP to auth users against sambaNTPassword

Howard Chu hyc at
Thu Jun 19 17:38:58 GMT 2003

> -----Original Message-----
> From: owner-openldap-devel at
> [mailto:owner-openldap-devel at]On Behalf Of Andrew Bartlett

> Except that is modifying to client to satisfy the server - and I'm not
> sure that solves our problem.  If I wanted to modify the client, I would
> run pam_winbind - that also works out of the box.  But that's not the
> solution I'm looking for, and for LDAP to use it, we have the mess I
> described.
> We need a solution that works for the simple bind.  Then we
> can look at 'secure' alternatives.

You're not seeing the whole picture I just outlined.

1) You can add your own passwd mech for Simple Bind that works with whatever
values you want. These can be NT or LM hashes. To do this, you need to use
the userPassword attribute with a scheme identifier.

2) You can add a SASL mech that works with whatever values you want. Again,
these can be NT or LM hashes, it doesn't need to be cleartext. If you do (1)
you can write your SASL mech to use the same attribute values.

But for your last comment - if you leave security as an afterthought, you
create the same kind of mess as Microsoft. Leaving aside the fact that you
don't have plaintext passwords to start from, any site that would veto an
implementation because it stores plaintext passwords *should* logically also
veto an implementation that transmits plaintext passwords over a network.

Don't think of it as modifying the client to satisfy the server - it's
modifying the client to satisfy *administration needs*, which is exactly what
you said originally - to get sanity for the admins.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun     
  Symas: Premier OpenSource Development and Support

More information about the samba-technical mailing list