[KLUG Members] ldap password synchronization project

Adam Tauno Williams adam at morrison-ind.com
Mon Mar 14 10:46:22 EST 2005

Previous message: [KLUG Members] ldap password synchronization project
Next message: [KLUG Members] ldap password synchronization project
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > > This sounds interesting. Is this a project someone is looking to start,
> > > or discussion of a current project or product that does? Novell has
> > > Identity Manager (formerly DirXML) that does this. It is rather pricey
> > > though.
> > > If an app is ldap enabled, why not just authenticate against the
> > > directory? 
> > Various services require the password in specific forms.  smbk5pwd hooks into 
> > LDAP's password modify operation and makes a Kerberos (heimdal), lmhash, and 
> > nthash of the password in addition to the configured userpassword crypt.
> > These aren't meant for use by applications, which as you said should 
> > authenticate to the directory; but for 'tier 2' services like RADIUS, Samba, 
> > Heimdal, etc...
> Where are the docs for setting up??  

Ha!  What you talkin' about?

But seriously, there is a readme (i think) in recent source tarballs.

You compile the module,  specify that it gets loaded, and have the
correct schema installed.  If you don't, your DSA crashes at start - so
it will be apparent if you bork it.

> Are there limitations.  Does this
> mean that a set of password hashes can be changed in any way ( like with
> the passwd command) and all others will be synchronized??

"any way"?  NO.  They must be changed via the LDAP 'password modify'
extended operation (1.3.6.1.4.1.4203.1.11.1).  PAM can be configured to
use "password modify", so passwd should work fine IF PAM is so
configured.  You can even invoke extended operations via PHP and Python;
so maybe "YES" is an answer to "any way" depending on what "any way"
means. :)

You also must set "ldap passed sync" to "Only" in Samba,  if set to
"yes" then two things (Samba and the overlay) try to set all the
passwords.  "Only" sets Samba to invoke 'password modify' and trust that
the DSA will take care of everything else automagically;  which if your
overlay is installed and operational.....

> I think I am still a little unclear of the details.

Yep, me too.

> Did a google search for smbk5pwd and got a email conversation between
> Adam and someone else when I was hoping for a project home page with
> info on how to install and configure.

Yep;  I'm going to cover overlays in LDAP106.  But I don't have anything
resembling notes yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20050314/819dce53/attachment.bin

Previous message: [KLUG Members] ldap password synchronization project
Next message: [KLUG Members] ldap password synchronization project
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list