Date: Tue, 12 Nov 2002 15:28:29 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: Eric Anderson <anderson@centtech.com> Cc: freebsd-chat@freebsd.org Subject: Re: LDAP Admin? Message-ID: <3DD18E9D.4ACC4A13@mindspring.com> References: <3DD13BE2.8000902@centtech.com> <3DD14FE5.7DAC9339@mindspring.com> <3DD15ADF.7070600@centtech.com> <3DD18044.A928D4AD@mindspring.com> <3DD18850.2050700@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric Anderson wrote:
> I'm using it to replace NIS, and pull my MS network in with my UNIX
> network for authentication.
If you are doing this, then you should know that you can not
replace an "Active Directory" server with an OpenLDAP server,
and successfully use it to authenticate MS clients. The only
think that works now is to deploy an MS Active Directory Server.
The reason for this is that the expansion Kerberos ticket ID
field that everyone bitched about Microsoft using and then not
documenting so that no one else could build a server, only
clients, contains a 32 bit integer which is a key Id field for
doing a lookup of a specific Active Directory record.
Basically: Microsoft has successfully locked other people out
of the server market by refusing to document this. Last I
heard, Luke Howard had done some work on this for Samba, but I
have not heard anything lately about it. But the Samba community
is where you will see anything, first.
As far as integrating MS clients to UNIX servers, that's a
different matter. Do a web search for "NIS GINA"; it's a
client authentication package, which allows an NIS server to
be used to authenticate MS clients.
> I just need some simple stuff like pw changing tools, user
> adding/deleting tools, but was looking for what people use before I
> start to get it deployed.
Generally, you edit a template and import it via "ldapadd",
or you use PHPLDAP to add a record, after filling out the fields.
For passwords, they are generally stored as ciphertext, with
the cipher type embedded at the front of the ciphertext, in
braces, e.g. "{md5}xxyyzz", etc.. In other words, the data
contents are as generally exposed as NIS data contents, so a
dictionary attack is a possibility.
The normal way of dealing with this is to use an SSL connection
to connect to the LDAP server, and to give each user ownership
or at least write access, to their own directory entry, and then
*only* over the SSL, replace the contents of the password field.
For this to work, you have to embed the ciphertext type, per the
above, as part of the plaintex data that you send over the wire
in the update.
If you look at the LDAP "FAQ-o-matic", there are pointers to
tools that will enable you to do this... against an OpenLDAP
server. If you need to do this against a Windows Active Directory
Server... you are screwed: you have to use the Windows tools to
do the job.
Normally, Microsoft recommends that you install all Microsoft
software, pay them huge fees, and forget UNIX. If you install
Microsoft servers, then they will grudgingly support UNIX clients,
and provide the ability to provide, with some effort, and the
"UNIX Integration" stuff installed on an NT server, the ability
for UNIX users to surf to a web page, and change their UNIX
password that way. Forget using the UNIX "passwd" command to
change a password on a Microsoft Active Directory Server, unless
Luke has done a lot more reverse engineering than I'm aware of
him having done.
In any case, I'm pretty sure that you will have to manage your
user accounts using Microsoft tools, even if you use the "SMB AUTH"
PAM module for UNIX authentication: you will still need to use a
Windows machine -- or a web server running on a Windows machine --
to change your UNIX passwords, if you do domain authentication.
Probably your best bet is to query the Samba community, and
potentially, the OpenLDAP community.
-- Terry
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DD18E9D.4ACC4A13>