lambam80@xxxxxxxxxxx wrote:
Hello everybody and a BIG thanks to Rich, and the rest of you, for your kind aid. Can you please help with something else ? HISTORYYes. SHA and other hashes are one way only - it is practically impossible to convert a SHA hash to the original clear text password. In addition, AD must have the clear text password sent to it in order for it to generate its hashes and keys used for Windows authentication.-------We're currently investigating using Windows SYNC but only the password part of the SYNC functionality - no accounts. My prototype works fine - if I change a password with Windows Cntl+Alt+Del it is propogated to Redhat Directory Server (RHDS). If I change the RHDS password with a simple front end it is propogated to Windows Active-Directory (Netscape console, for example, or a script with userpassword: secret-password ). I read the following: Directory Server passwords are synchronized along with other entry attributes because plain-text passwords are retained in the Directory Server changelog. Source: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync PROBLEM ?---------I think this only works with RHDS and password changing front-ends that send the password unencrypted. For example, if I do something like the following with RHDS: ./ldapmodify -P "/root/.mozilla/firefox/acu5w0yl.default/cert8.db" -c -h ${DEST_HOST} -p ${DEST_PORT} -D "${DEST_BIND}" -w $DESTDN_PASSWORD <<EOFdn: uid=${TGI},ou=People,${DEST_SUFFIX} changetype: modify replace: userpassword userpassword: {SHA}v9KDMpMQgX13LuXtmWzmSaIcNGM= EOFNote: Please note the {SHA} stuff in 'userpassword'. I cannot see how, using the changelog, RHDS can unencrypt the password from {SHA} so as tore-encode it in unicodePwd for sending to Active-Directory.unicodePwd: good link http://www.eyrie.org/~eagle/journal/2007-07/010.html <http://www.eyrie.org/%7Eeagle/journal/2007-07/010.html> My tests show that it doesn't work: After running the script I cannot login to Windowsusing my account/secret-password.If however, I change my script to use the password unencrypted (userpassword: secret-password) the propogation works again and I can log into my Windows client. Q1. Am I correct that it only works with RHDS front-ends that send the password unencrypted ?
Thanks, ------------------------------------------------------------------------ ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
