[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Manage own LDAP Address book entry

To: Howard Chu <hyc@symas.com>
Subject: Re: Manage own LDAP Address book entry
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Tue, 22 Jun 2004 21:17:36 +0200
Cc: Openldap list <openldap-software@OpenLDAP.org>
In-reply-to: <40D85852.4010203@symas.com>
References: <1586.1087899396@www27.gmx.net> <1087907490.26283.35.camel@localhost> <40D84BBD.9010107@obsidian.co.za> <40D85852.4010203@symas.com>
User-agent: Mozilla Thunderbird 0.6 (X11/20040609)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howard Chu wrote:
| Buchan Milne wrote:
|
|> Since some of the questions aren't answered by the admin quide, some
|> quickies ...
|
|
|> |>I guess i could make a atribute "password" but what about the
|> |>samba/unix/email login password? They should all be the same, and i
|> don't
|> |>want to make multiple password atributes in my object units.
|> |>( i hope i uses atribute and object units right here)
|>
|> You have to use multiple attributes to sensibly support samba (since
|> samba uses encryption methods openldap does not support). The
|> userpassword can be used by pam_ldap (since it just binds - does the
|> equivalent of ldapwhoami ...). But, pam_ldap is off-topic for this list.
|
|
| That is not strictly true. OpenLDAP has included support for LMhash in
| the userPassword attribute for years, and there is code in contrib for
| the NThash has well, but the Samba teams never used it.

Hmm, I'll have to take a look, and consider filing bugs on samba ...

|
|> These documents may help you understand it more:
|>
|> http://www.mandrakesecure.net/en/docs/samba-pdc.php
|> http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php
|>
|> Of course, you will need an ACL to allow users to change the relevant
|> attributes.
|
|
| Password synchronization and security management can be a lot easier
| than those docs describe, but you have to patch Samba to use LDAP more
| effectively.

And newer versions of openldap (than the 2.0.27 the docs were based on)
may be necessary too.

| I don't think Samba 3.0 is much better in this regard, but
| again, the tools are provided in OpenLDAP to make it easy.

Depends on what features you need. Samba-3's LDAP support is much better
in at least one regard, it's now run-time (and not compile-time
exclusive), and there is a replication delay parameter (so you don't
have to hack password changes on a "backup" DC to allow replication
time) and a few other improvements.

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA2IXPrJK6UGDSBKcRAojyAJ9NDYhtqkujo6dKLt6lNpe4uqyCVgCfc6UP
GTNQE5ifveATrS2V6Djd9Ok=
=/9sQ
-----END PGP SIGNATURE-----

References:
- Manage own LDAP Address book entry
  - From: "Mario Ohnewald" <mario.Ohnewald@gmx.de>
- Re: Manage own LDAP Address book entry
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: Manage own LDAP Address book entry
  - From: Buchan Milne <bgmilne@obsidian.co.za>
- Re: Manage own LDAP Address book entry
  - From: Howard Chu <hyc@symas.com>

Prev by Date: tls key exchange
Next by Date: Re: tls key exchange
Index(es):
- Chronological
- Thread