[Samba] LDAP and the Password attrtibute in SAMBA

Andrew Bartlett abartlet at samba.org
Sun Apr 10 12:16:19 GMT 2005

On Sun, 2005-04-10 at 13:53 +0200, Tony Earnshaw wrote:
> søn, 10.04.2005 kl. 02.56 skrev Gerald (Jerry) Carter:
> [...]
> > There was some interesting code submitted by Engineers
> > at Novell for utilizing the clear text password in eDirectory.
> > The password is pulled via an extended LDAP operation from the
> > DSA (over ldaps).  smbd can then generate the lm and nt
> > hashes from this therefore allowing one password to be stored.
> > We could do the same thing with OpenLDAP if people felt this
> > was helpful.  I.e. Is storing 'userPassword: {clear}secret'
> > worth the single password configuration?
> This would be fantastic. I have to have plain text userPasswords in the
> LDAP database for non-Samba related CRAM- and DIGEST-MD5 purposes.
> Syncing the 3 password types is no great hassle, but not having to do
> that would definitely be a plus. Is Novell's code Open Source, then?

Yes, it's in current Samba releases.  What we should simply do is search
for the userPassword attribute, and call pdb_set_plaintext_password().
The tricky part of the patch will be writing the password back - I think
that the default behaviour should be to write back into the plaintext
password attribute, unless 'ldap password sync' is set.

(this will imply keeping a little state around, but it won't be hard).

> > And before anyone yells the word 'security!', the danger
> > is in obtaining the OpenLDAP db files.  It is possible to
> > security the password from unauthorized LDAP client access.
> > Of course, the security settings are slightly more challenging
> > than relying on hashes password being stored in the directory.
> > However, the lm and nt password hashes are clear text equivalent
> > so for those people using Samba, using {clear} would be
> > only slightly more scary.
> I'm not worried about plain text passwords in the LDAP DB. The only
> users who have access to them are the slapd user (no shell) and root.
> all traffic over the wire always go encrypted (SSL/TS). A great addition
> to ldapsam where the Samba installation is on the same box as the LDAP
> DB, would be Unix sockets. I don't have this setup at my production
> site, but do on my test rig.

Samba supports ldapi:/// in the LDAP URLs, and I hope other applications
can be taught to use generic LDAP URLs, as it's very handy.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050410/fdb33854/attachment.bin

More information about the samba mailing list