Re: Setting up OpenLDAP SSL, client and server

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Tue, Aug 06, 2002 at 01:33:47PM -0700, Jim C wrote:

[ This is getting off-topic for the openldap-software list.
  Samba-specific questions are better sent to a Samba list. ]

> On the topic of clear text passwords your article states:
> 
> "If Samba is installed on a machine using nss_ldap and pam_ldap it will 
> of course use them, so networks running SMB with cleartext passwords may 
> not need to do more than that. There are advantages to the PDC model 
> though, so Samba's move to closer integration with LDAP is particularly 
> welcome."
> 
> Can one implement Samba *without* havine clear text passwords 
> transmitted from either Windoz or Samba?

Very much so. However, if you are starting from an existing Unix
environment (whether it uses LDAP for password storage or not), you
cannot use the Unix-style hashed passwords to authenticate `encrypted
password' SMB connections. A new set of password hashes must be
maintained in parallel, or the LDAP server must store cleartext
passwords and generate the various hashes on demand (you can do this
with OpenLDAP 2.1: much more flexible, but also a much bigger problem
if the database security gets compromised).

LDAP fits into all of this by providing a replicated store that allows
multiple Samba instances to share `PDC' data. In principle, this
should let you set up something like the Windows PDC/BDC fallback
without having to use M$ protocols to synchronise the data.

> I really hate clear text passwords and I feel I have good reason to. ;)

<aol>Me too.</aol>

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |
-----------------------------------------------------------------------