From jon at compbio.dundee.ac.uk Tue May 9 09:43:10 2006 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Tue, 9 May 2006 10:43:10 +0100 Subject: [Fedora-directory-devel] userPassword/sambaNTPassword synchronization Message-ID: <20060509094310.GD26139@flea.compbio.dundee.ac.uk> Hi, I'm currently looking at using FDS as a backend for Samba 3. The issue I have is with sync'ing of the userpassword, sambaNTPassword, and sambaLMPassword attributes, so that each of our user's accounts have consistant password for each attribute. Samba can be configured to change all three of these attributes when it recieves a password change request (the "ldap passwd sync" directive), but when the passwords are changed outwith samba (FDS console, ldappasswd, etc.), the passwords lose sync. It therefore seems sensible to write a FDS plugin to intercept password modification attempts, and for the plugin to create all of the required hashes. Before starting, I thought it'd be sensible to see if: 1) It was a good idea, or is there something blindingly obvious I've missed which means it won't work. 2) Is there any ongoing work in this area that I can contribute to rather than rolling my own. WRT 2) I've seen the openldap smbk5pwd overlay, which does what I want, but appears to be openldap specific. Any comments? Cheers. -- Jonathan Barber High Performance Computing Analysis Tel. +44 (0) 1382 386389 From rmeggins at redhat.com Tue May 9 13:28:35 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 09 May 2006 07:28:35 -0600 Subject: [Fedora-directory-devel] userPassword/sambaNTPassword synchronization In-Reply-To: <20060509094310.GD26139@flea.compbio.dundee.ac.uk> References: <20060509094310.GD26139@flea.compbio.dundee.ac.uk> Message-ID: <44609903.2090900@redhat.com> Jonathan Barber wrote: > Hi, > I'm currently looking at using FDS as a backend for Samba 3. The > issue I have is with sync'ing of the userpassword, sambaNTPassword, and > sambaLMPassword attributes, so that each of our user's accounts have > consistant password for each attribute. > > Samba can be configured to change all three of these attributes when > it recieves a password change request (the "ldap passwd sync" > directive), but when the passwords are changed outwith samba (FDS > console, ldappasswd, etc.), the passwords lose sync. It therefore seems > sensible to write a FDS plugin to intercept password modification > attempts, and for the plugin to create all of the required hashes. > > Before starting, I thought it'd be sensible to see if: > 1) It was a good idea, or is there something blindingly obvious I've > missed which means it won't work. This is an excellent idea, and the community would greatly appreciate it. > 2) Is there any ongoing work in this area that I can contribute to > rather than rolling my own. > Not that I know of. > WRT 2) I've seen the openldap smbk5pwd overlay, which does what I want, > but appears to be openldap specific. > Yes, it is openldap specific. Although the openldap code license does not preclude the inclusion of code into fedora ds, the APIs are very different, so there may be little chance of code reuse. You can probably reuse the code that does the actual password encryption, the algorithms for NT and LM passwords. Or you can get them from the samba code. You might take a look at an existing post-op plugin, like the referential integrity plugin, to use as a template for this one. > Any comments? > > Cheers. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Tue May 9 20:12:16 2006 From: hyc at symas.com (Howard Chu) Date: Tue, 09 May 2006 13:12:16 -0700 Subject: [Fedora-directory-devel] Re: userPassword/sambaNTPassword synchronization In-Reply-To: <20060509160043.E7AB573417@hormel.redhat.com> References: <20060509160043.E7AB573417@hormel.redhat.com> Message-ID: <4460F7A0.4090207@symas.com> fedora-directory-devel-request at redhat.com wrote: > Message: 1 > Date: Tue, 9 May 2006 10:43:10 +0100 > From: Jonathan Barber > > Hi, > I'm currently looking at using FDS as a backend for Samba 3. The > issue I have is with sync'ing of the userpassword, sambaNTPassword, and > sambaLMPassword attributes, so that each of our user's accounts have > consistant password for each attribute. > > Samba can be configured to change all three of these attributes when > it recieves a password change request (the "ldap passwd sync" > directive), but when the passwords are changed outwith samba (FDS > console, ldappasswd, etc.), the passwords lose sync. It therefore seems > sensible to write a FDS plugin to intercept password modification > attempts, and for the plugin to create all of the required hashes. > > Before starting, I thought it'd be sensible to see if: > 1) It was a good idea, or is there something blindingly obvious I've > missed which means it won't work. > 2) Is there any ongoing work in this area that I can contribute to > rather than rolling my own. > > WRT 2) I've seen the openldap smbk5pwd overlay, which does what I want, > but appears to be openldap specific. > > Any comments? > > Cheers. > Somewhere around here I wrote the corresponding SLAPI (smbk5pwd) plugin for one of our clients a few years back. At the time there wasn't any open source project to contribute it to, will have to see if I can dig it up. It was only tested with SunOne but I expect it will work here. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From zein at gawab.com Wed May 10 13:55:28 2006 From: zein at gawab.com (Ahmed H. EL Zein) Date: Wed, 10 May 2006 16:55:28 +0300 Subject: [Fedora-directory-devel] Re: autotools and summer of code In-Reply-To: <4461EC64.3070708@gawab.net> References: <4461EC64.3070708@gawab.net> Message-ID: <4461F0D0.5070602@gawab.com> Hello FDS developers, I have been trying to install FDS on my Debian box and both the Debian&Ububtu howto and the dsbuild tool are proving quite a headache! I would have liked to do a ./configure, setting up prefixes to suit me but I understand that is not easy right now! I found these links: http://code.google.com/soc-results.html http://sourceforge.net/projects/fds-build/ and I wanted to ask what is the status of the move to an autotools build system! did the the work done by Adrian Bunk find its way into the source tree? if not what was wrong with his method and what would be more suitable if someone wanted to have a go at it! Ahmed El Zein From rmeggins at redhat.com Wed May 10 14:05:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 10 May 2006 08:05:19 -0600 Subject: [Fedora-directory-devel] Re: autotools and summer of code In-Reply-To: <4461F0D0.5070602@gawab.com> References: <4461EC64.3070708@gawab.net> <4461F0D0.5070602@gawab.com> Message-ID: <4461F31F.9090507@redhat.com> Ahmed H. EL Zein wrote: > Hello FDS developers, > I have been trying to install FDS on my Debian box and both the > Debian&Ububtu howto and the dsbuild tool are proving quite a headache! > I would have liked to do a ./configure, setting up prefixes to suit me > but I understand that is not easy right now! > > I found these links: > http://code.google.com/soc-results.html > http://sourceforge.net/projects/fds-build/ > > and I wanted to ask what is the status of the move to an autotools > build system! We're working on it. > did the the work done by Adrian Bunk find its way into the source tree? No, not yet, we're working on it. > if not what was wrong with his method and what would be more suitable > if someone wanted to have a go at it! We will be integrating his changes into the code in the near future. > > Ahmed El Zein > > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: