I looked, albeit it quickly, on the 389 web site for details on how
passsync works, but I didn't find any details only a how-to, so if the
answers to these questions are documented you could just point me to the
doc.
The question arose in the context of one of our field people who wants
to use FreeRADIUS backed against a 389 LDAP server which is pulling
passwords from AD using passsync.
FreeRADIUS needs ntlm hashes, but it can compute the ntlm hash from a
cleartext password if one is available (but it's better if the ntlm hash
is available in an attribute).
My understanding is that passsync will update 389 with a cleartext
password only. Is that correct? Is it possible to have passsync also
update the ntlm hash by either pulling from AD or by computing it from
the cleartext at the moment it's writing the cleartext into the 389
attributes?
The next relevant issue is how password prefix's are handled. I don't
know if this is a standard or just a convention, but passwords can be
prefixed with their format enclosed in braces, e.g. {clear}, {crypt},
{md5}, etc.
It turns out that FreeRADIUS when it queries a password will only
recognize a clear text password vs. hash if it's prefixed with {clear}
or {cleartext}. Is passsync capable of prepending the password type when
it updates the password attribute?
--
John Dennis <jdennis@xxxxxxxxxx>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
