On Sun, 2004-02-29 at 17:11, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-heimdal-discuss@sics.se
> > [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Andrew Bartlett
>
> > One thing we probably should allow (but probably not encourage) is
> > putting plaintext passwords into LDAP, so that Samba, Heimdal,
> > Cyrus-SASL, HTTP-Digest and the rest can all use the exact same
> > password, without the multiple-hashes problem. Then each program can
> > hash it as required.
>
> We have a patch for OpenLDAP to let default_passwd_hash take a list of hash
> schemes instead of just one. Then whenever using the PasswordModify exop, all
> of the hashes will be generated from the provided plaintext password. This
> will allow multiple hashes to be maintained without actually needing to store
> the plaintext. This patch will be in OpenLDAP's CVS HEAD soon. We also have a
> {KRB5KEY} hash so that Heimdal can have its keys maintained automatically by
> slapd. Of course Cyrus SASL still uses the plaintext...
This is one of the things I've been waiting for for ages.
The tricky bit is that we need to modify attributes outside just the
userPassword. Storing the password is one thing, but if we store the
krb5Key in userPassword, we still need to store the KVNO (key version
number), and for samba you *must* update the 'last changed time'.
So, is it possible that your patch will update these attributes too, and
given that, will it update the krb5key and sambaNTpassword, or will we
need to have multiple places we look for passwords (not hard for Samba,
but a pain for all the auxiliary scripts)?
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
This is a digitally signed message part