OpenLDAP and Samba4 - password sync as a first step?

Andrew Bartlett abartlet at samba.org
Mon May 20 16:23:25 MDT 2013 

On Sat, 2013-05-18 at 10:15 -0700, Howard Chu wrote:
> Andrew Bartlett wrote:
> > On Wed, 2013-04-17 at 14:58 -0700, Howard Chu wrote:
> >> Hey there list, Andrew... I keep meaning to have this discussion with Andrew
> >> and then it always slips by, but this time for sure.
> >>
> >> I'll keep this short - my colleagues at Symas want to know what it will take
> >> to bring OpenLDAP up to date to be usable directly by Samba as a first-class
> >> recommended option, not just "yeah that should work but..." I've reviewed some
> >> of the previous discussions on this topic in the archives, but I suspect some
> >> of those points are now out of date.
> >
> > I've been thinking about ways we could better work with OpenLDAP, as I
> > talk more and more with Samba users who can't just drop their existing
> > configurations, or don't want to migrate their unix-like world to AD,
> > even if provided by Samba.
> >
> > There are many tools to sync directories, and while I dislike that as a
> > concept, they are part of the world we work in.  What they generally
> > miss is a good way to handle passwords, and there is where I thought we
> > might be able to make some positive progress.
> >
> > In particular, I'm wondering about having Samba sync either the
> > plaintext password (when sent to us during a password change) or an
> > appropriate password hash to OpenLDAP, and have OpenLDAP send us the
> > plaintext password if it does the change.
> 
> Sounds like a good first step. One question, Microsoft already provides an 
> agent that runs on AD DCs to export password modifications (to a corresponding 
> Unix listener). Should we use the same protocol as this agent? I've looked at 
> it a few times, and thought about implementing the listener directly in slapd.

I guess that might be valuable in some situations, and would be useful
in situations where we have a mix of Samba and Windows AD, or pure
Windows AD.  It certainly would be very useful to have Samba implement
the Windows half of the protocol, as folks do ask for this feature
often.

I'm actually particularly keen on my second proposal, because it doesn't
need an 'all change' to get the passwords out, doesn't need all DCs that
could change the password to run it, and if the domain is recent enough,
and a failure can be fixed by just re-reading the AD directory. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list