From owner-freebsd-chat Tue Nov 12 15:30: 2 2002 Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E53737B401 for ; Tue, 12 Nov 2002 15:29:59 -0800 (PST) Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCD8643E3B for ; Tue, 12 Nov 2002 15:29:58 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0050.cvx22-bradley.dialup.earthlink.net ([209.179.198.50] helo=mindspring.com) by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 18BkTj-0007JZ-00; Tue, 12 Nov 2002 15:29:56 -0800 Message-ID: <3DD18E9D.4ACC4A13@mindspring.com> Date: Tue, 12 Nov 2002 15:28:29 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Eric Anderson Cc: freebsd-chat@freebsd.org Subject: Re: LDAP Admin? References: <3DD13BE2.8000902@centtech.com> <3DD14FE5.7DAC9339@mindspring.com> <3DD15ADF.7070600@centtech.com> <3DD18044.A928D4AD@mindspring.com> <3DD18850.2050700@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson wrote: > I'm using it to replace NIS, and pull my MS network in with my UNIX > network for authentication. If you are doing this, then you should know that you can not replace an "Active Directory" server with an OpenLDAP server, and successfully use it to authenticate MS clients. The only think that works now is to deploy an MS Active Directory Server. The reason for this is that the expansion Kerberos ticket ID field that everyone bitched about Microsoft using and then not documenting so that no one else could build a server, only clients, contains a 32 bit integer which is a key Id field for doing a lookup of a specific Active Directory record. Basically: Microsoft has successfully locked other people out of the server market by refusing to document this. Last I heard, Luke Howard had done some work on this for Samba, but I have not heard anything lately about it. But the Samba community is where you will see anything, first. As far as integrating MS clients to UNIX servers, that's a different matter. Do a web search for "NIS GINA"; it's a client authentication package, which allows an NIS server to be used to authenticate MS clients. > I just need some simple stuff like pw changing tools, user > adding/deleting tools, but was looking for what people use before I > start to get it deployed. Generally, you edit a template and import it via "ldapadd", or you use PHPLDAP to add a record, after filling out the fields. For passwords, they are generally stored as ciphertext, with the cipher type embedded at the front of the ciphertext, in braces, e.g. "{md5}xxyyzz", etc.. In other words, the data contents are as generally exposed as NIS data contents, so a dictionary attack is a possibility. The normal way of dealing with this is to use an SSL connection to connect to the LDAP server, and to give each user ownership or at least write access, to their own directory entry, and then *only* over the SSL, replace the contents of the password field. For this to work, you have to embed the ciphertext type, per the above, as part of the plaintex data that you send over the wire in the update. If you look at the LDAP "FAQ-o-matic", there are pointers to tools that will enable you to do this... against an OpenLDAP server. If you need to do this against a Windows Active Directory Server... you are screwed: you have to use the Windows tools to do the job. Normally, Microsoft recommends that you install all Microsoft software, pay them huge fees, and forget UNIX. If you install Microsoft servers, then they will grudgingly support UNIX clients, and provide the ability to provide, with some effort, and the "UNIX Integration" stuff installed on an NT server, the ability for UNIX users to surf to a web page, and change their UNIX password that way. Forget using the UNIX "passwd" command to change a password on a Microsoft Active Directory Server, unless Luke has done a lot more reverse engineering than I'm aware of him having done. In any case, I'm pretty sure that you will have to manage your user accounts using Microsoft tools, even if you use the "SMB AUTH" PAM module for UNIX authentication: you will still need to use a Windows machine -- or a web server running on a Windows machine -- to change your UNIX passwords, if you do domain authentication. Probably your best bet is to query the Samba community, and potentially, the OpenLDAP community. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message