Re: NT Account Sync issues

[Howard Chu <hyc@symas.com>]

Michael Menefee wrote:

> All:
>
> I am using OpenLDAP as a user resource store for a Cyrus-IMAP email server.
> This is in a Windows NT environment, so ideally, my users need to be
> authenticated via NT. I am accomplishing this now with pam_smb for pop, imap
> and smtp. I now have a need to authenticate LDAP requests to my NT domain as
> well, or at least sync up or import the LM hashes and place them into the
> userPassword attribute for my users. I've seen some bulky systems for this
> (acctsync) and it's not a viable solution. Does anyone have any experience
> importing/exporting or syncing up NT passwords into OpenLDAP accounts?
>
> Any suggestions would be helpful

Since you're using Cyrus anyway, the most obvious solution would be to 
switch all of your services to use SASL/NTLM. Of course, I have no idea 
if all of your email clients support SASL. If they do, then you're set.

Otherwise, you can install a password-hash module for OpenLDAP 2.2 that 
uses the Windows Net API to validate a password. We (Symas) have 
products that do this, feel free to email us for licensing info.

In general, the SASL solution is more secure; PAM and most password-hash 
approaches are inappropriate for unprotected sessions.
--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support