[Samba] LDAP and the Password attrtibute in SAMBA

Tony Earnshaw tonye at billy.demon.nl
Sun Apr 10 11:53:51 GMT 2005

søn, 10.04.2005 kl. 02.56 skrev Gerald (Jerry) Carter:


> There was some interesting code submitted by Engineers
> at Novell for utilizing the clear text password in eDirectory.
> The password is pulled via an extended LDAP operation from the
> DSA (over ldaps).  smbd can then generate the lm and nt
> hashes from this therefore allowing one password to be stored.
> We could do the same thing with OpenLDAP if people felt this
> was helpful.  I.e. Is storing 'userPassword: {clear}secret'
> worth the single password configuration?

This would be fantastic. I have to have plain text userPasswords in the
LDAP database for non-Samba related CRAM- and DIGEST-MD5 purposes.
Syncing the 3 password types is no great hassle, but not having to do
that would definitely be a plus. Is Novell's code Open Source, then?

> And before anyone yells the word 'security!', the danger
> is in obtaining the OpenLDAP db files.  It is possible to
> security the password from unauthorized LDAP client access.
> Of course, the security settings are slightly more challenging
> than relying on hashes password being stored in the directory.
> However, the lm and nt password hashes are clear text equivalent
> so for those people using Samba, using {clear} would be
> only slightly more scary.

I'm not worried about plain text passwords in the LDAP DB. The only
users who have access to them are the slapd user (no shell) and root.
all traffic over the wire always go encrypted (SSL/TS). A great addition
to ldapsam where the Samba installation is on the same box as the LDAP
DB, would be Unix sockets. I don't have this setup at my production
site, but do on my test rig.

> Just some thoughts.



Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
They love us, don't they, They feed us, won't they ...

More information about the samba mailing list