Getting OpenLDAP to auth users against sambaNTPassword

Andrew Bartlett abartlet at
Thu Jun 19 21:57:56 GMT 2003

On Fri, 2003-06-20 at 06:43, Jonghyuk Choi wrote:
> >Except that is modifying to client to satisfy the server - and I'm not
> >sure that solves our problem.  If I wanted to modify the client, I would
> >run pam_winbind - that also works out of the box.  But that's not the
> >solution I'm looking for, and for LDAP to use it, we have the mess I
> >described. 
> >
> >We need a solution that works for the simple bind.  Then we can look at
> >'secure' alternatives.
> Hi. I also have been following this thread.
> If the intent is to use simple bind, client changes don't seem necessary.
> As Howard pointed out, {LM|NT} schemes can be added with a libutil 
> backport
> to OpenLDAP 2.1 from CVS. 
> The synchronization issue can be solved by a plugin or by a proxy.
> sambaLMPassword attribute can be synced to the userPassword
> attribute either before bind or after password modification.

Except that we can't put the plaintext or {CRYPT} value there, so we are
back to {LM|NT} schemes, which seem to have other issues, like the fact
that we have other hash types we would be interfere with.

I really don't think asking our admins to setup an OpenLDAP proxy
installation is viable...  

> Another option is to use back-ldap, as SLAPI is not supported in OpenLDAP 
> 2.1.
> Entries in the native backend have userPassword attribute and is shown to
> the client with the sambaLMPassword attribute instead of it through the 
> mapping
> capability of back-ldap. The mapping works at both read and write.
> (In fact, when I've been searching the OpenLDAP archive, I found a short 
> discussion
> on the attribute level aliasing, but couldn't find followups. Anybody 
> knows the status ?)
> - Jong
> ------------------------
> Jong Hyuk Choi
> IBM Thomas J. Watson Research Center - Enterprise Linux Group
> P. O. Box 218, Yorktown Heights, NY 10598
> email: jongchoi at
> (phone) 914-945-3979    (fax) 914-945-4425   TL: 862-3979
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list