[Date Prev][Date Next]
Re: NT Account Sync issues
Michael Menefee wrote:
I am using OpenLDAP as a user resource store for a Cyrus-IMAP email server.
This is in a Windows NT environment, so ideally, my users need to be
authenticated via NT. I am accomplishing this now with pam_smb for pop, imap
and smtp. I now have a need to authenticate LDAP requests to my NT domain as
well, or at least sync up or import the LM hashes and place them into the
userPassword attribute for my users. I've seen some bulky systems for this
(acctsync) and it's not a viable solution. Does anyone have any experience
importing/exporting or syncing up NT passwords into OpenLDAP accounts?
Any suggestions would be helpful
Since you're using Cyrus anyway, the most obvious solution would be to
switch all of your services to use SASL/NTLM. Of course, I have no idea
if all of your email clients support SASL. If they do, then you're set.
Otherwise, you can install a password-hash module for OpenLDAP 2.2 that
uses the Windows Net API to validate a password. We (Symas) have
products that do this, feel free to email us for licensing info.
In general, the SASL solution is more secure; PAM and most password-hash
approaches are inappropriate for unprotected sessions.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support