[PATCH] ldap pw sync exop

Pierre Filippone pierre.filippone at Retail-sc.com
Mon Jan 5 13:53:55 GMT 2004

>> Hi,
>> we would like Samba 3 to be part of our "One Account/One Password" 
>> solution based on OpenLDAP.
>> Therefore we need the ldap password synchronisation feature.
>> Our problem:
>> It uses ldap extended operations to set the "userpassword" attribute, 
>> which encrypts the passwords.
>> Basically quite OK, but not for us, because we need the user password 
>> cleartext for various reasons
>> (for example Radius and CHAP...)
>> So I made a little patch, introducing a new boolean parameter "ldap 
>> password sync exop".
>> It defaults to "yes", so the behaviour is as it was without the patch.
>> If set to "no", "smbldap_modify" is used instead of 
>> "smbldap_extended_operation", which leads
>> to plaintext userpassword attributes, as we need it. 
>> Is there any chance, that the change is included in the next release ? 
>No.  You should be able to configure/modify the OpenLDAP server not to 
use hashed passwords. 
>I think
>password-hash {CLEARTEXT}
>option in the slapd.conf should do it.
>Andrew Bartlett

Yes, you seem to be right for OpenLDAP 2.1.

But we use 2.0.
The man page of 2.0 does not say anything about "cleartext" as 
I tried it out anyway on a test server - doesn't work.

As you probably understand, we are very, very careful about changing our 
LDAP server configuration, 
because we use it for a large number of different services/applications. 

We will probably upgrade it in the (near ?) future, but that will require 
a lot of work 
and extensive testing. 
And of course that will need quite a lot of time...

It's ok for us to apply the patch to our own Samba version,
until we upgrade our LDAP servers.
But maybe there are also other people who could need it ?


Pierre Filippone 

More information about the samba-technical mailing list