[Date Prev][Date Next]
Re: using Active Directory encryption mechanism to authenticate user in OpenLDAP
Alain Dejoux wrote:
Active Directory does not store users' plaintext passwords, so it is
impossible to extract those. It stores a Kerberos key and possibly an NT
hash of the users' passwords. pwdump2 can be used to extract the NT
hash, I'm not aware of any way to extract the Kerberos key, and none of
this is retrievable directly using LDAP.
I need to migrate a Active Directory PDC server to OpenLDAP. I have
resolved most problem but i am struggle on initial password migration. I
explain, i must retrieve all user password in AD and put them in
OpenLDAP. So users don't need to change password ( a mandatory customer
request :-/ ). I know how encode password in AD format but i search a
way for using this method in OpenLDAP.
It is possible to add a mechanism to OpenLDAP ? Or else someone know a
best way to migrate password data from Active Directory ? I thought to
samba but i can only create a smbpasswd file with and that didn't change
my authentication problem.
Assuming that the NT hash will satisfy your need, OpenLDAP already
supports this hash format as one of its password hash mechanisms,
although it must be explicitly enabled at configure time. Also, the
password hash mechanisms are dynamically loadable so you can certainly
add new mechanisms if you need to.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support