[Date Prev][Date Next]
Re: Manage own LDAP Address book entry
Buchan Milne wrote:
Since some of the questions aren't answered by the admin quide, some
|>I guess i could make a atribute "password" but what about the
|>samba/unix/email login password? They should all be the same, and i don't
|>want to make multiple password atributes in my object units.
|>( i hope i uses atribute and object units right here)
You have to use multiple attributes to sensibly support samba (since
samba uses encryption methods openldap does not support). The
userpassword can be used by pam_ldap (since it just binds - does the
equivalent of ldapwhoami ...). But, pam_ldap is off-topic for this list.
That is not strictly true. OpenLDAP has included support for LMhash in
the userPassword attribute for years, and there is code in contrib for
the NThash has well, but the Samba teams never used it.
These documents may help you understand it more:
Of course, you will need an ACL to allow users to change the relevant
Password synchronization and security management can be a lot easier
than those docs describe, but you have to patch Samba to use LDAP more
effectively. I don't think Samba 3.0 is much better in this regard, but
again, the tools are provided in OpenLDAP to make it easy.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support