Re: Manage own LDAP Address book entry

[Howard Chu <hyc@symas.com>]

Buchan Milne wrote:

> Since some of the questions aren't answered by the admin quide, some
> quickies ...

> |>I guess i could make a atribute "password" but what about the
> |>samba/unix/email login password? They should all be the same, and i don't
> |>want to make multiple password atributes in my object units.
> |>( i hope i uses atribute and object units right here)
>
> You have to use multiple attributes to sensibly support samba (since
> samba uses encryption methods openldap does not support). The
> userpassword can be used by pam_ldap (since it just binds - does the
> equivalent of ldapwhoami ...). But, pam_ldap is off-topic for this list.

That is not strictly true. OpenLDAP has included support for LMhash in 
the userPassword attribute for years, and there is code in contrib for 
the NThash has well, but the Samba teams never used it.

> These documents may help you understand it more:
>
> http://www.mandrakesecure.net/en/docs/samba-pdc.php
> http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php
>
> Of course, you will need an ACL to allow users to change the relevant
> attributes.

Password synchronization and security management can be a lot easier 
than those docs describe, but you have to patch Samba to use LDAP more 
effectively. I don't think Samba 3.0 is much better in this regard, but 
again, the tools are provided in OpenLDAP to make it easy.
--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support