Intergrate Heimdal's hdb-ldap and Samba

Andrew Bartlett abartlet at samba.org
Sun Feb 29 06:19:05 GMT 2004 

On Sun, 2004-02-29 at 17:11, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-heimdal-discuss at sics.se
> > [mailto:owner-heimdal-discuss at sics.se]On Behalf Of Andrew Bartlett
> 
> > One thing we probably should allow (but probably not encourage) is
> > putting plaintext passwords into LDAP, so that Samba, Heimdal,
> > Cyrus-SASL, HTTP-Digest and the rest can all use the exact same
> > password, without the multiple-hashes problem.   Then each program can
> > hash it as required.
> 
> We have a patch for OpenLDAP to let default_passwd_hash take a list of hash
> schemes instead of just one. Then whenever using the PasswordModify exop, all
> of the hashes will be generated from the provided plaintext password. This
> will allow multiple hashes to be maintained without actually needing to store
> the plaintext. This patch will be in OpenLDAP's CVS HEAD soon. We also have a
> {KRB5KEY} hash so that Heimdal can have its keys maintained automatically by
> slapd. Of course Cyrus SASL still uses the plaintext...

This is one of the things I've been waiting for for ages.  

The tricky bit is that we need to modify attributes outside just the
userPassword.  Storing the password is one thing, but if we store the
krb5Key in userPassword, we still need to store the KVNO (key version
number), and for samba you *must* update the 'last changed time'.

So, is it possible that your patch will update these attributes too, and
given that, will it update the krb5key and sambaNTpassword, or will we
need to have multiple places we look for passwords (not hard for Samba,
but a pain for all the auxiliary scripts)?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040229/7a22d642/attachment.bin

More information about the samba-technical mailing list