[KLUG Members] LDAP and passwords
Peter Buxton
members@kalamazoolinux.org
Sat, 30 Aug 2003 17:08:25 -0400
On Sat, Aug 30, 2003 at 07:38:05AM -0400, Adam Williams was only escaped
alone to tell thee:
> Nothing, that I recall. Is the server listening on port 689?
Hmm... no, and it's not complaining about it at all, aside from not
being able to open an AF_INET6 port, which is normal. I even started it
from the command line with '-d 3', and it didn't give any errors about
not reading the cert/key pair, or not being able to bind to port ldaps.
My /etc/services gives 389 (working) and 636 (not) as the ldap and ldaps
ports, respectively.
> No, sasldb is used for CRAM-MD5, it is not used for Kerberos.
Now, you see, that is very confusing! Are you speaking of CRAM-MD5 *and*
DIGEST-MD5, or just the former? Is there no way to store the information
in /etc/sasldb2 in LDAP?
See, I want to allow SMTP AUTH connections from outside the LAN, for
home users using imaps. Unless I choose to expose Kerberos logins to the
outside world, or have Exim bind to another port with SSL using PLAIN
passwords, I need another solution.
> Actually yes, and it is pretty common. Simply define a rule making it
> available on for "compare" but never "read".
Hmmmm...
> But you *DO* need all of userPassword, ntPassword, and lmPassword. You
> can't eliminate ntPassword or lmPassword regardless of the hash type -
> the whole M$ architecure depends on them (actually I'm not sure anything
> uses lmPassword anymore, but ntPassword is required). Samba 3.x.x will
> manage all these values for you, having three crypts seems scary but
> really is quite painless. Just channel all password changes via Samba.
>
> ldap passwd sync = { yes | no | only}
So how do I get those hashes in there in the first place from an extant
Samba setup with a new, mostly empty LDAP db?
> Hm. What slide uses something else?
10 and 29. Your later slides show it correctly.
> The above format is correct, "{crypt type}crypt value". Note the
> exception of the special type "{KERBEROS}principle" which passes
> password authentication off to the KDC (which is transparent to the
> end application - this allows it to work for non-Kerbized
> applications).
Using GSSAPI, right?
--
-20
I'll torture you so slowly you'll think it's
a career. -- Darwin Mayflower, _Hudson Hawk_