Migrating from Apple OpenDirectory?
Andrew Bartlett
abartlet at samba.org
Fri May 21 17:23:11 MDT 2010
On Fri, 2010-05-21 at 17:44 +0200, Michael Wood wrote:
> In case you've forgotten, I'm trying to get some users out of Open
> Directory into Samba4 for authentication purposes.
>
> On 20 April 2010 04:54, Andrew Bartlett <abartlet at samba.org> wrote:
> [...]
> > Honestly, I'm not sure. You would need to write up a python script (I
> > think) that would first import the users from the OpenDirectory
> > (perserving their SIDs), and then extract the 'arcfour-hmac-md5' (type
> > 23) key and set it into the unicodePwd attribute in Samba4's LDAP
> > server.
> >
> > Once you have the data in the dump format, this may be easy to parse, or
> > else it may be better to read it using Heimdal tools somehow.
>
> OK, I had some trouble with the stash file from the OS X box, but I
> now have a dump file in the Heimdal dump format, so I can get at the
> arcfour-hmac-md5 keys. Do I just shove those into the unicodePwd
> attribute?
Yes, as a 16 byte array (not hex encoded or anything, just raw in LDAP -
you may need to base64 them if putting them in via LDIF).
> What about the other keys? There are two des-hmac-crc (type 1) keys
> and a 3des-hmac-sha1 (type 16) key for each principal too. Should I
> just ignore those?
I would, yes. Clients and servers that can't use the arcfour-hmac-md5
keys are pretty rare these days.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100522/a711747e/attachment.pgp>
More information about the samba-technical
mailing list