Getting OpenLDAP to auth users against sambaNTPassword
Jonghyuk Choi
jongchoi at us.ibm.com
Thu Jun 19 20:43:21 GMT 2003
>Except that is modifying to client to satisfy the server - and I'm not
>sure that solves our problem. If I wanted to modify the client, I would
>run pam_winbind - that also works out of the box. But that's not the
>solution I'm looking for, and for LDAP to use it, we have the mess I
>described.
>
>We need a solution that works for the simple bind. Then we can look at
>'secure' alternatives.
Hi. I also have been following this thread.
If the intent is to use simple bind, client changes don't seem necessary.
As Howard pointed out, {LM|NT} schemes can be added with a libutil
backport
to OpenLDAP 2.1 from CVS.
The synchronization issue can be solved by a plugin or by a proxy.
sambaLMPassword attribute can be synced to the userPassword
attribute either before bind or after password modification.
Another option is to use back-ldap, as SLAPI is not supported in OpenLDAP
2.1.
Entries in the native backend have userPassword attribute and is shown to
the client with the sambaLMPassword attribute instead of it through the
mapping
capability of back-ldap. The mapping works at both read and write.
(In fact, when I've been searching the OpenLDAP archive, I found a short
discussion
on the attribute level aliasing, but couldn't find followups. Anybody
knows the status ?)
- Jong
------------------------
Jong Hyuk Choi
IBM Thomas J. Watson Research Center - Enterprise Linux Group
P. O. Box 218, Yorktown Heights, NY 10598
email: jongchoi at us.ibm.com
(phone) 914-945-3979 (fax) 914-945-4425 TL: 862-3979
More information about the samba-technical
mailing list