Hi everybody, this is my problem: I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif
dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: red sn: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: red ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: red ntUserDomainId: red userPassword: redpwd creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note that I wrote the user's password in "clear". Now, I can logon the Windows AD with the username red and the password redpwd. Then I added another user (yellow) with this code ldif
dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: yellow sn: yellow objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: yellow ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: yellow ntUserDomainId: yellow userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. Do you think that this is a problem strictly related to Windows' problem? How can I get over it? Thank you in advance.
______________________________________________ Adotta un bambino a distanza. Avrà vestiti, cibo, scuola?e avrà te! http://social.tiscali.it/promo/C02/sos/
I don't know where I read but as far I know you should use only UNIX crypt for password, so don't use MD5.
Para <fedora-directory-users@redhat.c om> Luigi Santangelo cc <santangelo.luigi@tiscal i.it> Asunto Enviado por: [Fedora-directory-users] windows fedora-directory-users-b sync and password "clear" ounces@redhat.com Clasificación Uso Interno 19/03/2008 06:37 a.m.
Por favor, responda a Luigi Santangelo <santangelo.luigi@tiscal i.it>; Por favor, responda a "General discussion list for the Fedora Directory server project." <fedora-directory-users@ redhat.com>
Hi everybody, this is my problem: I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif
dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: red sn: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: red ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: red ntUserDomainId: red userPassword: redpwd creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note that I wrote the user's password in "clear". Now, I can logon the Windows AD with the username red and the password redpwd. Then I added another user (yellow) with this code ldif
dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: yellow sn: yellow objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: yellow ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: yellow ntUserDomainId: yellow userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. Do you think that this is a problem strictly related to Windows' problem? How can I get over it? Thank you in advance.
______________________________________________ Adotta un bambino a distanza. Avrà vestiti, cibo, scuola?e avrà te! http://social.tiscali.it/promo/C02/sos/
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
======================================================================================== AVISO LEGAL: Esta información es privada y confidencial y está dirigida únicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo para propósitos de información y no debe ser considerada como propuesta, aceptación ni como una declaración de voluntad oficial de NUCLEO S.A. La transmisión de e-mails no garantiza que el correo electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que esta información sea completa o precisa. Toda información está sujeta a alterarse sin previo aviso.
This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
Ivan Ferreira wrote:
I don't know where I read but as far I know you should use only UNIX crypt for password, so don't use MD5.
If you're talking about values for attribute userPassword I'd recommend to avoid {CRYPT} password scheme since crypt hashes are OS-specific which might get into your way when migrating to another OS platform. I'd strongly recommend to use a salted SHA-1 hash for userPassword.
Ciao, Michael.
Luigi Santangelo wrote:
Hi everybody, this is my problem: I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif
dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: red sn: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: red ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: red ntUserDomainId: red userPassword: redpwd creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note that I wrote the user's password in "clear". Now, I can logon the Windows AD with the username red and the password redpwd. Then I added another user (yellow) with this code ldif
dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: yellow sn: yellow objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: yellow ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: yellow ntUserDomainId: yellow userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. Do you think that this is a problem strictly related to Windows' problem? How can I get over it?
You can't pre-hash the password on the client side if you want it to be properly sync'd to AD. The client needs to provide it's password to FDS in the clear, preferably over LDAPS or using a SASL mechanism that provides confidentiality. FDS will then hash it according to the default password hash storage scheme config setting. The clear password will be provided to AD over LDAPS so AD can hash it using the hashing scheme it needs.
-NGK
Thank you in advance.
Adotta un bambino a distanza. Avrà vestiti, cibo, scuola?e avrà te! http://social.tiscali.it/promo/C02/sos/
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org