On ons, 2006-03-15 at 17:33 +0100, Tomasz Chmielewski wrote: > Craig White wrote: > > On Wed, 2006-03-15 at 16:40 +0100, Tomasz Chmielewski wrote: > >> info-cyrus@lists.andrew.cmu.edu wrote: > >>> Tomasz Chmielewski wrote: > >>>> I have a user base in two databases: one in LDAP, for Samba, and one > >>>> in MySQL, for cyrus/mail. > >>>> > >>>> It's not very comfortable, as I have to do the things twice. > >>>> > >>>> So I thought of "leeching" the users and passwords from the LDAP > >>>> database, filtering it through a script, and creating cyrus accounts > >>>> this way. > >>>> > >>>> There is one problem though - Samba accounts use SSHA encryption, and > >>>> Cyrus doesn't. > >>>> > >>>> What encryption is used by Cyrus? > >>>> > >>>> When I look into MySQL database, the password look like that: > >>>> > >>>> abcDe12FGHiJK > >>>> > >>>> So it's 13 characters. > >>>> > >>>> What encryption is it? > >>>> > >>> Why not buil cyrus to read users from LDAP? > >> It would be problematic here. > >> > >> Right now I have several LDAP (Samba) databases on different servers - > >> for different user groups. > >> > >> On the other hand, one MySQL (cyrus) database is used for all users. > >> > >> So, if I wanted to make Cyrus read from LDAP, it would have to read from > >> several LDAP servers. > >> > >> Can it do it? I didn't google much, but perhaps it's either impossible, > >> or hard to do. > >> > >> > >> So I assumed the approach I described earlier would be easier. > > ---- > > I would expect that you could set up one of your LDAP servers to do > > referrals to the other proxy servers so you would only need to set up > > one LDAP reference within cyrus. > > Technically, I should be able to do this. > Perhaps it's not the best group to ask - what will happen if the > connection between the two LDAP server is broken, and we use referrals > as here [1]: > > ref: ldap://b.example.net/dc=subtree,dc=example,dc=net > > > > I would also suggest that sambaNTPassword and sambaLMPassword attributes > > are not SSHA but rather a Microsoft form of hash. The userPassword > > attribute (if you samba users are also posixAccount/shadowAccount > > objectclasses) could possibly be SSHA. > > This I know. > What I want to know is what Cyrus uses - certainly it's not a Microsoft > hash :) and not SSHA.
As I said, cyrus can use a lot of different hashes depending on how you configure it. Read up on cyrus-sasl. I think you should consider looking into the replication and syncing features of openldap. You should probably be able to use that to have a slave ldapserver on the mailserver with the other ldapservers as masters for their own subtrees. This will also give you a handy backup :-) Tarjei > > [1] http://www.openldap.org/doc/admin23/referrals.html > -- Tarjei Huse <[EMAIL PROTECTED]> ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html