[KLUG Members] LDAP and passwords

Peter Buxton members@kalamazoolinux.org
Sat, 30 Aug 2003 17:08:25 -0400 

On Sat, Aug 30, 2003 at 07:38:05AM -0400, Adam Williams was only escaped
   alone to tell thee:

> Nothing, that I recall.  Is the server listening on port 689?

Hmm... no, and it's not complaining about it at all, aside from not
being able to open an AF_INET6 port, which is normal. I even started it
from the command line with '-d 3', and it didn't give any errors about
not reading the cert/key pair, or not being able to bind to port ldaps.
My /etc/services gives 389 (working) and 636 (not) as the ldap and ldaps
ports, respectively.

> No, sasldb is used for CRAM-MD5, it is not used for Kerberos.

Now, you see, that is very confusing! Are you speaking of CRAM-MD5 *and*
DIGEST-MD5, or just the former? Is there no way to store the information
in /etc/sasldb2 in LDAP?

See, I want to allow SMTP AUTH connections from outside the LAN, for
home users using imaps. Unless I choose to expose Kerberos logins to the
outside world, or have Exim bind to another port with SSL using PLAIN
passwords, I need another solution.

> Actually yes, and it is pretty common.  Simply define a rule making it
> available on for "compare" but never "read".

Hmmmm...

> But you *DO* need all of userPassword, ntPassword, and lmPassword.  You
> can't eliminate ntPassword or lmPassword regardless of the hash type -
> the whole M$ architecure depends on them (actually I'm not sure anything
> uses lmPassword anymore, but ntPassword is required).  Samba 3.x.x will
> manage all these values for you,  having three crypts seems scary but
> really is quite painless.  Just channel all password changes via Samba.
> 
> ldap passwd sync = { yes | no | only} 

So how do I get those hashes in there in the first place from an extant
Samba setup with a new, mostly empty LDAP db?

> Hm.  What slide uses something else?

10 and 29. Your later slides show it correctly.

> The above format is correct, "{crypt type}crypt value".  Note the
> exception of the special type "{KERBEROS}principle" which passes
> password authentication off to the KDC (which is transparent to the
> end application - this allows it to work for non-Kerbized
> applications).

Using GSSAPI, right?

-- 
-20
I'll torture you so slowly you'll think it's
a career. -- Darwin Mayflower, _Hudson Hawk_