Re: AD -> OpenLDAP sync and userPassword crypt

[Geoff Silver <geoff@uslinux.net>]

> >  All we really need replicated is enough to build out
> > /etc/passwd, /etc/shadow, and /etc/group files.  I suspect the difficult
> > part is getting the password out of SAM and into OpenLDAP in crypted
> > form, though I'm guessing someone out there has done this.
>
> AFAIK, you can't. The password hash used by Windows is incompatible, the
> only way to convert would be brute-force.

Yep, the Windows hash is just a hash, not an encrypted password string. 
My question, really, is if there is a way during the AD->OpenLDAP 
replication to convert the password hash to a usable userPassword field.

> > Second, I need to dump the OpenLDAP data into /etc/passwd,shadow,group
> > files on some AIX systems.  PAM is a poor choice because connectivity is
> > going to be an issue, and we're looking at roughly 200 remote sites with
> > limited bandwidth.  The goal is to dump the relevant data about once per
> > day, but the tricky part is dumping the userPassword hash in a format
> > which the OS can understand.  I *suspect* {crypt} form will "just work",
> > though I'm wondering if anyone can confirm or deny that
>
> I don't think this is a viable strategy.
>
> > (if not, does
> > anyone have a good solution - cleartext in LDAP salted to a crypt hash?)
>
> nss_updatedb, nss_ldap and nss_updatedb?

I've used pam_ldap and nss_ldap previously, and the biggest issue I can 
see is that we're looking at 200 remote sites with average latency, 
low-bandwidth connections.  If the system needs to contact a remote LDAP 
server for authorization every time a file is opened, performance is going 
to suffer.  Managing OpenLDAP replicas or proxy caches at each remote site 
isn't going to work either.

--
Geoff Silver					<geoff at uslinux dot net>
"If Bill Gates had a nickel for every time Windows crashed...
	Oh wait, he does"