Re: using Active Directory encryption mechanism to authenticate user in OpenLDAP

[Howard Chu <hyc@symas.com>]

Alain Dejoux wrote:

> Hi,
>
> 	I need to migrate a Active Directory PDC server to OpenLDAP. I have
> resolved most problem but i am struggle on initial password migration. I
> explain, i must retrieve all user password in AD and put them in
> OpenLDAP. So users don't need to change password ( a mandatory customer
> request :-/ ). I know how encode password in AD format but i search a
> way for using this method in OpenLDAP. 
>
> It is possible to add a mechanism to OpenLDAP ? Or else someone  know a
> best way to migrate password data from Active Directory ? I thought to
> samba but i can only create a smbpasswd file with and that didn't change
> my authentication problem.
>
>  
Active Directory does not store users' plaintext passwords, so it is 
impossible to extract those. It stores a Kerberos key and possibly an NT 
hash of the users' passwords. pwdump2 can be used to extract the NT 
hash, I'm not aware of any way to extract the Kerberos key, and none of 
this is retrievable directly using LDAP.

Assuming that the NT hash will satisfy your need, OpenLDAP already 
supports this hash format as one of its password hash mechanisms, 
although it must be explicitly enabled at configure time. Also, the 
password hash mechanisms are dynamically loadable so you can certainly 
add new mechanisms if you need to.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support