Re: windows sync and password "clear"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Luigi Santangelo wrote:

Hi everybody, this is my problem:
I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif 

dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx
givenName: red
sn: red
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
uid: red
ntUserCreateNewAccount: true
ntUserDeleteAccount: true
cn: red
ntUserDomainId: red
userPassword: redpwd
creatorsName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
modifiersName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
createTimestamp: 20080318153555Z
modifyTimestamp: 20080318153555Z
nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note that I wrote the user's password in "clear". Now, I can logon the Windows AD with the username red and the password redpwd. 
Then I added another user (yellow) with this code ldif

dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx
givenName: yellow
sn: yellow
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
uid: yellow
ntUserCreateNewAccount: true
ntUserDeleteAccount: true
cn: yellow
ntUserDomainId: yellow
userPassword: {MD5}8cb32079718c657b02bbbb176b97d030
creatorsName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
modifiersName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
createTimestamp: 20080318153555Z
modifyTimestamp: 20080318153555Z
nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae

Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030
Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the 
password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in.
Do you think that this is a problem strictly related to Windows' problem? How can I get over it?
You can't pre-hash the password on the client side if you want it to be properly sync'd to AD. The client needs to provide it's password to FDS in the clear, preferably over LDAPS or using a SASL mechanism that provides confidentiality. FDS will then hash it according to the default password hash storage scheme config setting. The clear password will be provided to AD over LDAPS so AD can hash it using the hashing scheme it needs. 

-NGK

Thank you in advance.


______________________________________________
Adotta un bambino a distanza. Avrà vestiti, cibo, scuola?e avrà te!
http://social.tiscali.it/promo/C02/sos/


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux