[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Samba, email, LDAP and password integration and management

You won't be able to use the same password-attributes for Windows and other systems. Samba stores its data in two attributes (lmPassword and ntPassword or similar). These are hashes of the user-password which aren't compatible with - let's say - crypt or MD5 which are used by a lot of Unix-flavors.

The only way is to store these passwords in different attributes and synchronize them. Samba supports calling a script on password change (see man smb.conf, search for "passwd program" and "passwd chat"). Linux can synchronize the windows-passwords via PAM. The password-change script which would be called by Samba could check the quality of the password.

We use a meta-directory infrastructure to support this; a separate server sitting in front of the "master" which modifies some of the operations passing through it, such as changes to userPassword. Various hashes, renamings, etc can be generated in this fashion.

Note that if all you want to do is rename things, back-meta is a better solution. It can't help you with password hashing, but it's much faster.

Our prototype uses a modified back-perl, which we have not yet submitted for inclusion in cvs HEAD. (Well it's submitted for discussion, but that's all so far...)

If you have a single point where you can force your users to change their password, such as a single website under your direct control, it would probably be easiest to modify your password change cgi to update all the various password attributes.

Matthew Backes