[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions about Active Directory Password Cache overlay

On Friday 04 April 2008 22:57:49 Wes Modes wrote:
> Thanks to Buchan Milne, I'm looking into the Active Directory Password
> Cache overlay for OpenLDAP, which seems to offer more or less what I'm
> trying to do.  Is anyone here experienced with it?  Is this the right
> place to ask or is there an openLDAP overlays list?
> I understand this description of ADPC:


> It is clear to me that after a password change, that a failure to
> authenticate

... with a simple bind ...

> initiates a new auth attempt against the KDC, and if it 
> succeeds, ADPC caches the passwd as a hash in OpenLDAP.  But if Samba
> fails to authenticate against the hash stored in sambaNTPassword, is a
> new authentication attempt made against the KDC?  And if it does, where
> does it get the passwd to hash (since Samba never gets the passwd in
> NTLM authentication)?
> Practically speaking, it seems that the password that the overlay hashes
> has to come from a source other than Samba.  A web app?

That's one way.

> How have people 
> used it in the past?

Some people use LDAP for things besides samba (in my case, samba is about 5% 
of my LDAP traffic for internal user accounts, which is about 1% of my total 
LDAP traffic ...).