[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions about Active Directory Password Cache overlay

To: openldap-technical@openldap.org
Subject: Re: Questions about Active Directory Password Cache overlay
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 7 Apr 2008 09:44:37 +0200
Cc: s.hetze@linux-ag.de, Wes Modes <wmodes@ucsc.edu>
Content-disposition: inline
In-reply-to: <47F6964D.9040201@ucsc.edu>
References: <47F6964D.9040201@ucsc.edu>
User-agent: KMail/1.9.9

On Friday 04 April 2008 22:57:49 Wes Modes wrote:
> Thanks to Buchan Milne, I'm looking into the Active Directory Password
> Cache overlay for OpenLDAP, which seems to offer more or less what I'm
> trying to do.  Is anyone here experienced with it?  Is this the right
> place to ask or is there an openLDAP overlays list?
>
> I understand this description of ADPC:

[...]

> It is clear to me that after a password change, that a failure to
> authenticate

... with a simple bind ...

> initiates a new auth attempt against the KDC, and if it 
> succeeds, ADPC caches the passwd as a hash in OpenLDAP.  But if Samba
> fails to authenticate against the hash stored in sambaNTPassword, is a
> new authentication attempt made against the KDC?  And if it does, where
> does it get the passwd to hash (since Samba never gets the passwd in
> NTLM authentication)?
>
> Practically speaking, it seems that the password that the overlay hashes
> has to come from a source other than Samba.  A web app?

That's one way.

> How have people 
> used it in the past?

Some people use LDAP for things besides samba (in my case, samba is about 5% 
of my LDAP traffic for internal user accounts, which is about 1% of my total 
LDAP traffic ...).

Regards,
Buchan

References:
- Questions about Active Directory Password Cache overlay
  - From: Wes Modes <wmodes@ucsc.edu>

Prev by Date: RE: openLDAP controls
Next by Date: Re: Password policy can't replicate in openldap 2.4.8
Index(es):
- Chronological
- Thread