[PATCH] ldap pw sync exop

Andrew Bartlett abartlet at samba.org
Mon Jan 5 10:27:50 GMT 2004


On Mon, Jan 05, 2004 at 11:15:22AM +0100, Pierre Filippone wrote:
> Hi,
> 
> we would like Samba 3 to be part of our "One Account/One Password" 
> solution based on OpenLDAP.
> Therefore we need the ldap password synchronisation feature.
> 
> Our problem:
> It uses ldap extended operations to set the "userpassword" attribute, 
> which encrypts the passwords.
> Basically quite OK, but not for us, because we need the user password in 
> cleartext for various reasons
> (for example Radius and CHAP...)
> 
> So I made a little patch, introducing a new boolean parameter "ldap 
> password sync exop".
> It defaults to "yes", so the behaviour is as it was without the patch.
> If set to "no", "smbldap_modify" is used instead of 
> "smbldap_extended_operation", which leads
> to plaintext userpassword attributes, as we need it. 
> 
> Is there any chance, that the change is included in the next release ? 


No.  You should be able to configure/modify the OpenLDAP server not to use hashed passwords.  

I think
 
password-hash {CLEARTEXT}

option in the slapd.conf should do it.

Andrew Bartlett


More information about the samba-technical mailing list