Intergrate Heimdal's hdb-ldap and Samba

Howard Chu hyc at
Sun Feb 29 06:11:44 GMT 2004

> -----Original Message-----
> From: owner-heimdal-discuss at
> [mailto:owner-heimdal-discuss at]On Behalf Of Andrew Bartlett

> One thing we probably should allow (but probably not encourage) is
> putting plaintext passwords into LDAP, so that Samba, Heimdal,
> Cyrus-SASL, HTTP-Digest and the rest can all use the exact same
> password, without the multiple-hashes problem.   Then each program can
> hash it as required.

We have a patch for OpenLDAP to let default_passwd_hash take a list of hash
schemes instead of just one. Then whenever using the PasswordModify exop, all
of the hashes will be generated from the provided plaintext password. This
will allow multiple hashes to be maintained without actually needing to store
the plaintext. This patch will be in OpenLDAP's CVS HEAD soon. We also have a
{KRB5KEY} hash so that Heimdal can have its keys maintained automatically by
slapd. Of course Cyrus SASL still uses the plaintext...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun     
  Symas: Premier OpenSource Development and Support

More information about the samba-technical mailing list