[Date Prev][Date Next]
Re: Manage own LDAP Address book entry
-----BEGIN PGP SIGNED MESSAGE-----
Howard Chu wrote:
| Buchan Milne wrote:
|> Since some of the questions aren't answered by the admin quide, some
|> quickies ...
|> |>I guess i could make a atribute "password" but what about the
|> |>samba/unix/email login password? They should all be the same, and i
|> |>want to make multiple password atributes in my object units.
|> |>( i hope i uses atribute and object units right here)
|> You have to use multiple attributes to sensibly support samba (since
|> samba uses encryption methods openldap does not support). The
|> userpassword can be used by pam_ldap (since it just binds - does the
|> equivalent of ldapwhoami ...). But, pam_ldap is off-topic for this list.
| That is not strictly true. OpenLDAP has included support for LMhash in
| the userPassword attribute for years, and there is code in contrib for
| the NThash has well, but the Samba teams never used it.
Hmm, I'll have to take a look, and consider filing bugs on samba ...
|> These documents may help you understand it more:
|> Of course, you will need an ACL to allow users to change the relevant
| Password synchronization and security management can be a lot easier
| than those docs describe, but you have to patch Samba to use LDAP more
And newer versions of openldap (than the 2.0.27 the docs were based on)
may be necessary too.
| I don't think Samba 3.0 is much better in this regard, but
| again, the tools are provided in OpenLDAP to make it easy.
Depends on what features you need. Samba-3's LDAP support is much better
in at least one regard, it's now run-time (and not compile-time
exclusive), and there is a replication delay parameter (so you don't
have to hack password changes on a "backup" DC to allow replication
time) and a few other improvements.
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----