[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD -> OpenLDAP sync and userPassword crypt

Geoff Silver wrote:

Two questions in one. First, I'm trying to figure out how difficult it will be to set up Active Directory on W2K to replicate its data to OpenLDAP. All we really need replicated is enough to build out /etc/passwd, /etc/shadow, and /etc/group files. I suspect the difficult part is getting the password out of SAM and into OpenLDAP in crypted form, though I'm guessing someone out there has done this.

Symas has a module which allows OpenLDAP to directly use Windows NTLM hashes as listed by pwdump. It's available as part of our Connexitor Directory Services.

Second, I need to dump the OpenLDAP data into /etc/passwd,shadow,group files on some AIX systems.

Symas' Connexitor EMS can do this. It puts an LDAP interface on top of these (and many other) system files. (I.e., it installs an LDAP server whose database is backed by the host's native security files instead of some other database manager. On Unix it is backed by /etc/passwd,shadow,group, etc... On Windows it is backed by the SAM.) With this product you can manage a variety of platforms from a central OpenLDAP server and use regular LDAP replication to keep all of the systems synchronized. Note that AIX is a bit different from most Unix systems, and its account database is quite complex. Connexitor EMS handles all of its attributes properly.

PAM is a poor choice

In general, yes.

because connectivity is going to be an issue, and we're looking at roughly 200 remote sites with limited bandwidth. The goal is to dump the relevant data about once per day, but the tricky part is dumping the userPassword hash in a format which the OS can understand. I *suspect* {crypt} form will "just work", though I'm wondering if anyone can confirm or deny that

Yes, regular DES crypt will work. Of course there is no way to use the Windows hashes mentioned above for /etc/passwd, and short of running l0phtcrack for some number of hours, no way to reverse the Windows hashes back into cleartext.

(if not, does anyone have a good solution - cleartext in LDAP salted to a crypt hash?)

That would give you the most flexibility. Alternatively, as long as your master database is an OpenLDAP 2.2 server, you can maintain multiple hashes on the server and replicate just the relevant values to each slave. Perform all password management on the central OpenLDAP server, storing crypt and NTLM hashes in parallel. We've set this arrangement up for many of our customers. Also with Connexitor EMS you have the option of propagating updates in realtime, rather than dumping once/day. This ability can be crucial when you need to quickly deactivate all the accounts for a particular user.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support