[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Manage own LDAP Address book entry

Buchan Milne wrote:

Since some of the questions aren't answered by the admin quide, some
quickies ...

|>I guess i could make a atribute "password" but what about the
|>samba/unix/email login password? They should all be the same, and i don't
|>want to make multiple password atributes in my object units.
|>( i hope i uses atribute and object units right here)

You have to use multiple attributes to sensibly support samba (since
samba uses encryption methods openldap does not support). The
userpassword can be used by pam_ldap (since it just binds - does the
equivalent of ldapwhoami ...). But, pam_ldap is off-topic for this list.

That is not strictly true. OpenLDAP has included support for LMhash in the userPassword attribute for years, and there is code in contrib for the NThash has well, but the Samba teams never used it.

These documents may help you understand it more:


Of course, you will need an ACL to allow users to change the relevant

Password synchronization and security management can be a lot easier than those docs describe, but you have to patch Samba to use LDAP more effectively. I don't think Samba 3.0 is much better in this regard, but again, the tools are provided in OpenLDAP to make it easy.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support