[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD -> OpenLDAP sync and userPassword crypt

 All we really need replicated is enough to build out
/etc/passwd, /etc/shadow, and /etc/group files.  I suspect the difficult
part is getting the password out of SAM and into OpenLDAP in crypted
form, though I'm guessing someone out there has done this.

AFAIK, you can't. The password hash used by Windows is incompatible, the only way to convert would be brute-force.

Yep, the Windows hash is just a hash, not an encrypted password string. My question, really, is if there is a way during the AD->OpenLDAP replication to convert the password hash to a usable userPassword field.

Second, I need to dump the OpenLDAP data into /etc/passwd,shadow,group
files on some AIX systems.  PAM is a poor choice because connectivity is
going to be an issue, and we're looking at roughly 200 remote sites with
limited bandwidth.  The goal is to dump the relevant data about once per
day, but the tricky part is dumping the userPassword hash in a format
which the OS can understand.  I *suspect* {crypt} form will "just work",
though I'm wondering if anyone can confirm or deny that

I don't think this is a viable strategy.

(if not, does
anyone have a good solution - cleartext in LDAP salted to a crypt hash?)

nss_updatedb, nss_ldap and nss_updatedb?

I've used pam_ldap and nss_ldap previously, and the biggest issue I can see is that we're looking at 200 remote sites with average latency, low-bandwidth connections. If the system needs to contact a remote LDAP server for authorization every time a file is opened, performance is going to suffer. Managing OpenLDAP replicas or proxy caches at each remote site isn't going to work either.

Geoff Silver					<geoff at uslinux dot net>
"If Bill Gates had a nickel for every time Windows crashed...
	Oh wait, he does"