[389-devel] passsync

[John Dennis]

I looked, albeit it quickly, on the 389 web site for details on how 
passsync works, but I didn't find any details only a how-to, so if the 
answers to these questions are documented you could just point me to the 
doc.

The question arose in the context of one of our field people who wants 
to use FreeRADIUS backed against a 389 LDAP server which is pulling 
passwords from AD using passsync.

FreeRADIUS needs ntlm hashes, but it can compute the ntlm hash from a 
cleartext password if one is available (but it's better if the ntlm hash 
is available in an attribute).

My understanding is that passsync will update 389 with a cleartext 
password only. Is that correct? Is it possible to have passsync also 
update the ntlm hash by either pulling from AD or by computing it from 
the cleartext at the moment it's writing the cleartext into the 389 
attributes?

The next relevant issue is how password prefix's are handled. I don't 
know if this is a standard or just a convention, but passwords can be 
prefixed with their format enclosed in braces, e.g. {clear}, {crypt}, 
{md5}, etc.

It turns out that FreeRADIUS when it queries a password will only 
recognize a clear text password vs. hash if it's prefixed with {clear} 
or {cleartext}. Is passsync capable of prepending the password type when 
it updates the password attribute?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/