Getting OpenLDAP to auth users against sambaNTPassword

Jonghyuk Choi jongchoi at
Thu Jun 19 20:43:21 GMT 2003

>Except that is modifying to client to satisfy the server - and I'm not
>sure that solves our problem.  If I wanted to modify the client, I would
>run pam_winbind - that also works out of the box.  But that's not the
>solution I'm looking for, and for LDAP to use it, we have the mess I
>We need a solution that works for the simple bind.  Then we can look at
>'secure' alternatives.

Hi. I also have been following this thread.

If the intent is to use simple bind, client changes don't seem necessary.
As Howard pointed out, {LM|NT} schemes can be added with a libutil 
to OpenLDAP 2.1 from CVS. 

The synchronization issue can be solved by a plugin or by a proxy.
sambaLMPassword attribute can be synced to the userPassword
attribute either before bind or after password modification.
Another option is to use back-ldap, as SLAPI is not supported in OpenLDAP 
Entries in the native backend have userPassword attribute and is shown to
the client with the sambaLMPassword attribute instead of it through the 
capability of back-ldap. The mapping works at both read and write.
(In fact, when I've been searching the OpenLDAP archive, I found a short 
on the attribute level aliasing, but couldn't find followups. Anybody 
knows the status ?)

- Jong

Jong Hyuk Choi
IBM Thomas J. Watson Research Center - Enterprise Linux Group
P. O. Box 218, Yorktown Heights, NY 10598
email: jongchoi at
(phone) 914-945-3979    (fax) 914-945-4425   TL: 862-3979

More information about the samba-technical mailing list