[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Getting OpenLDAP to auth users against sambaNTPassword



This thread seems to be arriving out-of-order, so I'm a bit confused on the
context. The thread appears out of order on the samba.org mailing list
archives as well.

Since there's already plenty to do, first I'd like to understand why using
the SASL NTLM mechanism won't work. In looking at cyrus/sasl/plugins/ntlm.c,
this appears to use a plaintext userPassword, like most of the other SASL
mechs.

Using a scheme like '{NTPASSWORD}sambaNTpassword' isn't really practical with
the current password check/hash mechanism; the password functions aren't
given any context about the DN or entry being authenticated. As such, there
isn't enough info to specify which entry's sambaNTpassword to retrieve. And
also, the passwd library has no API to perform the retrieval, short of
issuing its own ldapsearch().

If it were just a matter of fixing the case sensitivity issue in the {LANMAN}
mech, that would be OK. But Andrew mentioned something about needing to
extract a session key from the handshake - it would seem that none of these
simple password mechs would accomodate this requirement.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Luke Howard

> Another option, at least for OpenLDAP 2.2, is to write a SLAPI pre-
> operation bind plugin that performs the necessary authentication.