[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: NT Account Sync issues

Michael Menefee wrote:


I am using OpenLDAP as a user resource store for a Cyrus-IMAP email server.
This is in a Windows NT environment, so ideally, my users need to be
authenticated via NT. I am accomplishing this now with pam_smb for pop, imap
and smtp. I now have a need to authenticate LDAP requests to my NT domain as
well, or at least sync up or import the LM hashes and place them into the
userPassword attribute for my users. I've seen some bulky systems for this
(acctsync) and it's not a viable solution. Does anyone have any experience
importing/exporting or syncing up NT passwords into OpenLDAP accounts?

Any suggestions would be helpful

Since you're using Cyrus anyway, the most obvious solution would be to switch all of your services to use SASL/NTLM. Of course, I have no idea if all of your email clients support SASL. If they do, then you're set.

Otherwise, you can install a password-hash module for OpenLDAP 2.2 that uses the Windows Net API to validate a password. We (Symas) have products that do this, feel free to email us for licensing info.

In general, the SASL solution is more secure; PAM and most password-hash approaches are inappropriate for unprotected sessions.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support