[Samba] LDAP and the Password attrtibute in SAMBA

Tony Earnshaw tonye at billy.demon.nl
Sun Apr 10 13:38:20 GMT 2005


søn, 10.04.2005 kl. 14.16 skrev Andrew Bartlett:

[...]

>  database for non-Samba related CRAM- and DIGEST-MD5 purposes.
> > Syncing the 3 password types is no great hassle, but not having to do
> > that would definitely be a plus. Is Novell's code Open Source, then?
> 
> Yes, it's in current Samba releases.  What we should simply do is search
> for the userPassword attribute, and call pdb_set_plaintext_password().
> The tricky part of the patch will be writing the password back - I think
> that the default behaviour should be to write back into the plaintext
> password attribute, unless 'ldap password sync' is set.
> 
> (this will imply keeping a little state around, but it won't be hard).

Sounds good.

> > > And before anyone yells the word 'security!', the danger
> > > is in obtaining the OpenLDAP db files.  It is possible to
> > > security the password from unauthorized LDAP client access.
> > > Of course, the security settings are slightly more challenging
> > > than relying on hashes password being stored in the directory.
> > > However, the lm and nt password hashes are clear text equivalent
> > > so for those people using Samba, using {clear} would be
> > > only slightly more scary.
> > 
> > I'm not worried about plain text passwords in the LDAP DB. The only
> > users who have access to them are the slapd user (no shell) and root.
> > all traffic over the wire always go encrypted (SSL/TS). A great addition
> > to ldapsam where the Samba installation is on the same box as the LDAP
> > DB, would be Unix sockets. I don't have this setup at my production
> > site, but do on my test rig.
> 
> Samba supports ldapi:/// in the LDAP URLs, and I hope other applications
> can be taught to use generic LDAP URLs, as it's very handy.

Wellwellwell ... so it does - almost. ldapi://%2Fpath%2Fto%2Fsocket/
works.  ldapi:/// hangs.

Where's this in the doco ? AFAICR I had to guess at ldaps://myhost.tld/
working, but I don't remember any more. I never thought to try the ldapi
alternative.

Thanks, guys,  for a fantastic and enormously flexible product.

BTW, I used to be sysadmin for an AT&T Unix-based product (NT4 PDC and
BDC) called AFPS (Advanced file and Printer Server), running on SCO's
UnixWare 7. Did anyone here ever work with that software? Not that I
ever itch to go back from RHAS to SCO, but I always had a soft spot for
Bell Labs and Novell who took the folks over. AFPS was a great product,
too.

--Tonni

-- 
Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
http://www.billy.demon.nl
 
They love us, don't they, They feed us, won't they ...



More information about the samba mailing list