[tech] manbo, ldap, stuff
James Andrewartha
trs80 at ucc.gu.uwa.edu.au
Tue Feb 20 15:50:20 WST 2007
On Sat, 17 Feb 2007, James Andrewartha wrote:
> On Sat, 17 Feb 2007, Davyd Madeley wrote:
>> So passwd can't be configured to change someone's authentication details
>> in LDAP, or not until we switch over to LDAP as our auth mechanism top
>> to bottom?
>
> passwd will change their unix password, but not sambaLMPassword and
> sambaNTPassword.
An update - smbpasswd will only change samba{LM,NT}Password, as the Sun DS
doesn't support the LDAP password change extended operation. The only tool
that will update both at once is smbldap-passwd, which calculates the
hashes itself. Hence I thought about moving to OpenLDAP (see below), which
has a contrib module smbk5pwd that keeps all passwords in sync.
> Yes. Replication is something we should definitely look at, along with
> setting up SSL. It doesn't look like OpenLDAP can replicate the Sun DS,
> but the Sun DS does run on Linux so we can run it on another machine.
I've installed Sun DS on martello, and it seems to be working ok, but I
haven't set up replication yet. I also had the crazy idea of dumping the
current config (since it works fine with solaris clients) into OpenLDAP,
but that falls down because SSH key authentication on Solaris requires an
LDAP extension only in Sun DS. If anyone's feeling adventurous, it doesn't
look that hard to hack into OpenLDAP and just return 0,-1:
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsldap/common/ns_reads.c#4255
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsldap/common/ns_sldap.h#312
Alternatively, we could put dropbear on a different port and people who
wanted public-key authentication could use that, or Matt could add LDAP
auth directly to dropbear and we could turn off Sun's sshd ;-) See
http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0 for details
on the SSH problem.
Ultimately it depends on what the goals for LDAP are - one password to
rule them all, or just conversion to a more modern and secure
authentication scheme. If it's the latter and people are ok with having
the Windows/Unix password split, then none of the above hackery is
necessary. Please respond with your thoughts on the matter.
--
# TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best |
[ "There's nobody getting rich writing ]| -- Collect and hide your |
[ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 /
More information about the tech
mailing list