Re: NT/LM hash support for OpenLDAP

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:43 AM 2002-03-04, Sam Johnston wrote:
>Some questions:
>
>Are LANMAN and NTLM suitable scheme names?

I think X-LANMAN and X-NTLM would be better choices if we
would have used X-UNIX, etc.  But since all of RFC 2307 is
experimental, it really doesn't matter much.

>Does anyone have a problem with adding the following to schema_prep.c
>(courtesy jerry@samba.org, according to the enterprise number)?

Yes, these attributes should be administrated by user applications,
not slapd.  They should be loaded via a .schema file.

>Is there a better way to implement the exops in the backends - I've only
>had a quick look but it seems they're fairly manual (start transaction, get
>entry, etc.) where I'd probably rather be putting the code for each hash in
>one place and calling backend specific update functions.

The hash generation code for userPassword is in one place,
liblutil/passwd.c.

>Does support for authPassword exist yet? How would it be supported?

Not yet.  When authPassword is added, there should be a configuration
flag that says "use authPassword instead of userPassword".  Then
the directory authentication services would use authPassword instead
of userPassword and the password modify would likewise update
authPassword instead of userPassword.

>I guess
>the password-hash setting in slapd.conf would have to accept multiple
>schemes, and a hash would be generated for each scheme listed. Checking
>code would need to be updated too.

Not necessarily.  authPassword can be used with one scheme, just
like userPassword.  One should only use multiple schemes when
replicas don't support the same scheme as the master.

Kurt