[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Intergrate Heimdal's hdb-ldap and Samba

> -----Original Message-----
> From: owner-heimdal-discuss@sics.se
> [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Andrew Bartlett

> One thing we probably should allow (but probably not encourage) is
> putting plaintext passwords into LDAP, so that Samba, Heimdal,
> Cyrus-SASL, HTTP-Digest and the rest can all use the exact same
> password, without the multiple-hashes problem.   Then each program can
> hash it as required.

We have a patch for OpenLDAP to let default_passwd_hash take a list of hash
schemes instead of just one. Then whenever using the PasswordModify exop, all
of the hashes will be generated from the provided plaintext password. This
will allow multiple hashes to be maintained without actually needing to store
the plaintext. This patch will be in OpenLDAP's CVS HEAD soon. We also have a
{KRB5KEY} hash so that Heimdal can have its keys maintained automatically by
slapd. Of course Cyrus SASL still uses the plaintext...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support