[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Intergrate Heimdal's hdb-ldap and Samba



On Sun, 2004-02-29 at 17:11, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-heimdal-discuss@sics.se
> > [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Andrew Bartlett
> 
> > One thing we probably should allow (but probably not encourage) is
> > putting plaintext passwords into LDAP, so that Samba, Heimdal,
> > Cyrus-SASL, HTTP-Digest and the rest can all use the exact same
> > password, without the multiple-hashes problem.   Then each program can
> > hash it as required.
> 
> We have a patch for OpenLDAP to let default_passwd_hash take a list of hash
> schemes instead of just one. Then whenever using the PasswordModify exop, all
> of the hashes will be generated from the provided plaintext password. This
> will allow multiple hashes to be maintained without actually needing to store
> the plaintext. This patch will be in OpenLDAP's CVS HEAD soon. We also have a
> {KRB5KEY} hash so that Heimdal can have its keys maintained automatically by
> slapd. Of course Cyrus SASL still uses the plaintext...

This is one of the things I've been waiting for for ages.  

The tricky bit is that we need to modify attributes outside just the
userPassword.  Storing the password is one thing, but if we store the
krb5Key in userPassword, we still need to store the KVNO (key version
number), and for samba you *must* update the 'last changed time'.

So, is it possible that your patch will update these attributes too, and
given that, will it update the krb5key and sambaNTpassword, or will we
need to have multiple places we look for passwords (not hard for Samba,
but a pain for all the auxiliary scripts)?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part