[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Manage own LDAP Address book entry

Hash: SHA1

Howard Chu wrote:
| Buchan Milne wrote:
|> Since some of the questions aren't answered by the admin quide, some
|> quickies ...
|> |>I guess i could make a atribute "password" but what about the
|> |>samba/unix/email login password? They should all be the same, and i
|> don't
|> |>want to make multiple password atributes in my object units.
|> |>( i hope i uses atribute and object units right here)
|> You have to use multiple attributes to sensibly support samba (since
|> samba uses encryption methods openldap does not support). The
|> userpassword can be used by pam_ldap (since it just binds - does the
|> equivalent of ldapwhoami ...). But, pam_ldap is off-topic for this list.
| That is not strictly true. OpenLDAP has included support for LMhash in
| the userPassword attribute for years, and there is code in contrib for
| the NThash has well, but the Samba teams never used it.

Hmm, I'll have to take a look, and consider filing bugs on samba ...

|> These documents may help you understand it more:
|> http://www.mandrakesecure.net/en/docs/samba-pdc.php
|> http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php
|> Of course, you will need an ACL to allow users to change the relevant
|> attributes.
| Password synchronization and security management can be a lot easier
| than those docs describe, but you have to patch Samba to use LDAP more
| effectively.

And newer versions of openldap (than the 2.0.27 the docs were based on)
may be necessary too.

| I don't think Samba 3.0 is much better in this regard, but
| again, the tools are provided in OpenLDAP to make it easy.

Depends on what features you need. Samba-3's LDAP support is much better
in at least one regard, it's now run-time (and not compile-time
exclusive), and there is a replication delay parameter (so you don't
have to hack password changes on a "backup" DC to allow replication
time) and a few other improvements.


- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org