On Friday 04 April 2008 22:57:49 Wes Modes wrote:
Thanks to Buchan Milne, I'm looking into the Active Directory Password Cache overlay for OpenLDAP, which seems to offer more or less what I'm trying to do. Is anyone here experienced with it? Is this the right place to ask or is there an openLDAP overlays list?
I understand this description of ADPC:
[...]
It is clear to me that after a password change, that a failure to authenticate
... with a simple bind ...
initiates a new auth attempt against the KDC, and if it succeeds, ADPC caches the passwd as a hash in OpenLDAP. But if Samba fails to authenticate against the hash stored in sambaNTPassword, is a new authentication attempt made against the KDC? And if it does, where does it get the passwd to hash (since Samba never gets the passwd in NTLM authentication)?
Practically speaking, it seems that the password that the overlay hashes has to come from a source other than Samba. A web app?
That's one way.
How have people used it in the past?
Some people use LDAP for things besides samba (in my case, samba is about 5% of my LDAP traffic for internal user accounts, which is about 1% of my total LDAP traffic ...).
Regards, Buchan