On Sun, 2005-04-10 at 13:53 +0200, Tony Earnshaw wrote:
søn, 10.04.2005 kl. 02.56 skrev Gerald (Jerry) Carter:
[...]
> There was some interesting code submitted by Engineers
> at Novell for utilizing the clear text password in eDirectory.
> The password is pulled via an extended LDAP operation from the
> DSA (over ldaps). smbd can then generate the lm and nt
> hashes from this therefore allowing one password to be stored.
> We could do the same thing with OpenLDAP if people felt this
> was helpful. I.e. Is storing 'userPassword: {clear}secret'
> worth the single password configuration?
This would be fantastic. I have to have plain text userPasswords in the
LDAP database for non-Samba related CRAM- and DIGEST-MD5 purposes.
Syncing the 3 password types is no great hassle, but not having to do
that would definitely be a plus. Is Novell's code Open Source, then?
Yes, it's in current Samba releases. What we should simply do is search
for the userPassword attribute, and call pdb_set_plaintext_password().
The tricky part of the patch will be writing the password back - I think
that the default behaviour should be to write back into the plaintext
password attribute, unless 'ldap password sync' is set.
(this will imply keeping a little state around, but it won't be hard).
Did such a feature make it into Samba, or might it in the future? I'm
like Tony
and already keep userpassword as cleartext in order to support DIGEST-MD5 for
those clients that can't do Kerberos.
> And before anyone yells the word 'security!', the danger
> is in obtaining the OpenLDAP db files. It is possible to
> security the password from unauthorized LDAP client access.
> Of course, the security settings are slightly more challenging
> than relying on hashes password being stored in the directory.
> However, the lm and nt password hashes are clear text equivalent
> so for those people using Samba, using {clear} would be
> only slightly more scary.
I'm not worried about plain text passwords in the LDAP DB. The only
users who have access to them are the slapd user (no shell) and root.
Yep, I'm not worried about this either. If you hack into the DC with
sufficient
privileges to steal the DB files then I'm borked anyway.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
