OpenLDAP and Samba4 - password sync as a first step?

Andrew Bartlett abartlet at samba.org
Fri May 17 17:44:56 MDT 2013 

On Wed, 2013-04-17 at 14:58 -0700, Howard Chu wrote:
> Hey there list, Andrew... I keep meaning to have this discussion with Andrew 
> and then it always slips by, but this time for sure.
> 
> I'll keep this short - my colleagues at Symas want to know what it will take 
> to bring OpenLDAP up to date to be usable directly by Samba as a first-class 
> recommended option, not just "yeah that should work but..." I've reviewed some 
> of the previous discussions on this topic in the archives, but I suspect some 
> of those points are now out of date.

I've been thinking about ways we could better work with OpenLDAP, as I
talk more and more with Samba users who can't just drop their existing
configurations, or don't want to migrate their unix-like world to AD,
even if provided by Samba.

There are many tools to sync directories, and while I dislike that as a
concept, they are part of the world we work in.  What they generally
miss is a good way to handle passwords, and there is where I thought we
might be able to make some positive progress. 

In particular, I'm wondering about having Samba sync either the
plaintext password (when sent to us during a password change) or an
appropriate password hash to OpenLDAP, and have OpenLDAP send us the
plaintext password if it does the change. 

For real-time both-directions sync of real passwords with policy
enforcement:

I'm thinking something like this:
 - password change proposed to Samba
 - verify Samba would accept password
 - (maybe - transactions over network ops are bad) start Samba
transaction 
 - ask openldap to change password
 - set password in Samba
 - (maybe) commit samba transaction 

and in the reverse:

 - password change proposed to OpenLDAP
 - verify OpenLDAP would accept password
 - (maybe) start OpenLDAP transaction
 - ask Samba to change password
 - set password in OpenLDAP
 - (maybe) commit OpenLDAP transaction

I would propose that we use an extended operation (perhaps based on the
existing one) to do the password change, but extended so that OpenLDAP
and Samba know if it is a password change or set, but without seeing the
old password. 

That way, OpenLDAP and Samba can both veto a password, keep applying
policy and hopefully things can't get out of sync.

For situations where Samba is the master, or where AD is the master, and
Samba is just part of a broader AD domain, I wondered if we could have:

 - password change proposed to samba
 - verify Samba accepts password
 - send the aes256-cts-hmac-sha1-96 hash to OpenLDAP
   (this hash chosen as all current AD servers can generate it, and it
is salted unlike previous AD keys)
 - set password in samba

For replicated from another AD:
 - when password change noticed
 - send the aes256-cts-hmac-sha1-96 hash to OpenLDAP

For the reverse:
 - password change proposed to OpenLDAP
 - send password change to samba
 - wait for return of aes256-cts-hmac-sha1-96 hash

What do you think?  Once password changes 'just work', I think some of
the other pain points become much easier, for dual-directory
situations. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list