Re: Samba, email, LDAP and password integration and management

[Matthew Backes <lucca@csun.edu>]

> You won't be able to use the same password-attributes for Windows and 
> other systems. Samba stores its data in two attributes (lmPassword and 
> ntPassword or similar). These are hashes of the user-password which 
> aren't compatible with - let's say - crypt or MD5 which are used by a 
> lot of Unix-flavors.

> The only way is to store these passwords in different attributes and 
> synchronize them. Samba supports calling a script on password change 
> (see man smb.conf, search for "passwd program" and "passwd chat"). 
> Linux can synchronize the windows-passwords via PAM. The 
> password-change script which would be called by Samba could check the 
> quality of the password.

We use a meta-directory infrastructure to support this; a separate 
server sitting in front of the "master" which modifies some of the 
operations passing through it, such as changes to userPassword.  
Various hashes, renamings, etc can be generated in this fashion.

Note that if all you want to do is rename things, back-meta is a better 
solution.  It can't help you with password hashing, but it's much 
faster.

Our prototype uses a modified back-perl, which we have not yet 
submitted for inclusion in cvs HEAD.  (Well it's submitted for 
discussion, but that's all so far...)

If you have a single point where you can force your users to change 
their password, such as a single website under your direct control, it 
would probably be easiest to modify your password change cgi to update 
all the various password attributes.

Matthew Backes
lucca@csun.edu