Luigi Santangelo wrote:
> Hi everybody, this is my problem:
> I configured my Fedora DS and now I can sync the LDAP's users with
> Windows 2003 Active Directory. Then, I created a new user with this
> code ldif
>
> dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx
> givenName: red
> sn: red
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: ntuser
> uid: red
> ntUserCreateNewAccount: true
> ntUserDeleteAccount: true
> cn: red
> ntUserDomainId: red
> userPassword: redpwd
> creatorsName: uid=root,ou=administrators,ou=topologymanagement,
> o=netscaperoot
> modifiersName: uid=root,ou=administrators,ou=topologymanagement,
> o=netscaperoot
> createTimestamp: 20080318153555Z
> modifyTimestamp: 20080318153555Z
> nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
>
> Note that I wrote the user's password in "clear". Now, I can logon the
> Windows AD with the username red and the password redpwd.
> Then I added another user (yellow) with this code ldif
>
> dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx
> givenName: yellow
> sn: yellow
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: ntuser
> uid: yellow
> ntUserCreateNewAccount: true
> ntUserDeleteAccount: true
> cn: yellow
> ntUserDomainId: yellow
> userPassword: {MD5}8cb32079718c657b02bbbb176b97d030
> creatorsName: uid=root,ou=administrators,ou=topologymanagement,
> o=netscaperoot
> modifiersName: uid=root,ou=administrators,ou=topologymanagement,
> o=netscaperoot
> createTimestamp: 20080318153555Z
> modifyTimestamp: 20080318153555Z
> nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
>
> Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030
> Then If I try logon the Windows AD (from Windows) with the username
> yellow and the password yellowred, I cannot log in. Instead, if I try
> logon the Windows AD with the username yellow and the
> password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in.
> Do you think that this is a problem strictly related to Windows'
> problem? How can I get over it?
>
You can't pre-hash the password on the client side if you want it to be
properly sync'd to AD. The client needs to provide it's password to FDS
in the clear, preferably over LDAPS or using a SASL mechanism that
provides confidentiality. FDS will then hash it according to the
default password hash storage scheme config setting. The clear password
will be provided to AD over LDAPS so AD can hash it using the hashing
scheme it needs.
-NGK
> Thank you in advance.
>
>
> ______________________________________________
> Adotta un bambino a distanza. Avr? vestiti, cibo, scuola?e avr? te!
> http://social.tiscali.it/promo/C02/sos/
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080328/b6a74395/attachment.bin
