RE: Getting OpenLDAP to auth users against sambaNTPassword

[Jonghyuk Choi <jongchoi@us.ibm.com>]

>Except that is modifying to client to satisfy the server - and I'm not
>sure that solves our problem.  If I wanted to modify the client, I would
>run pam_winbind - that also works out of the box.  But that's not the
>solution I'm looking for, and for LDAP to use it, we have the mess I
>described. 
>
>We need a solution that works for the simple bind.  Then we can look at
>'secure' alternatives.

Hi. I also have been following this thread.

If the intent is to use simple bind, client changes don't seem necessary.
As Howard pointed out, {LM|NT} schemes can be added with a libutil backport
to OpenLDAP 2.1 from CVS. 

The synchronization issue can be solved by a plugin or by a proxy.
sambaLMPassword attribute can be synced to the userPassword
attribute either before bind or after password modification.
Another option is to use back-ldap, as SLAPI is not supported in OpenLDAP 2.1.
Entries in the native backend have userPassword attribute and is shown to
the client with the sambaLMPassword attribute instead of it through the mapping
capability of back-ldap. The mapping works at both read and write.
(In fact, when I've been searching the OpenLDAP archive, I found a short discussion
on the attribute level aliasing, but couldn't find followups. Anybody knows the status ?)

- Jong

------------------------
Jong Hyuk Choi
IBM Thomas J. Watson Research Center - Enterprise Linux Group
P. O. Box 218, Yorktown Heights, NY 10598
email: jongchoi@us.ibm.com
(phone) 914-945-3979    (fax) 914-945-4425   TL: 862-3979