[Fedora-directory-users] Windows Sync (via changelog) only works with front-ends sending uncenctyped passwords
Rich Megginson
rmeggins at redhat.com
Fri Jan 16 15:31:09 UTC 2009
lambam80 at hotmail.com wrote:
> Hello everybody and a BIG thanks to Rich, and the rest of you, for
> your kind aid. Can you please help with something else ?
>
> HISTORY
> -------
>
> We're currently investigating using Windows SYNC but only the password
> part of the SYNC functionality - no accounts.
>
> My prototype works fine - if I change a password with Windows
> Cntl+Alt+Del it
> is propogated to Redhat Directory Server (RHDS). If I change the RHDS
> password with a simple front end it
> is propogated to Windows Active-Directory (Netscape console, for
> example, or a script with userpassword: secret-password ).
>
> I read the following:
> Directory Server passwords are synchronized along with other entry
> attributes because plain-text passwords are retained in the Directory
> Server changelog.
> Source:
> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync
>
> PROBLEM ?
> ---------
>
> I think this only works with RHDS and password changing front-ends
> that send the password unencrypted.
>
> For example, if I do something like the following with RHDS:
>
> ./ldapmodify -P "/root/.mozilla/firefox/acu5w0yl.default/cert8.db" -c
> -h ${DEST_HOST} -p ${DEST_PORT} -D "${DEST_BIND}" -w $DESTDN_PASSWORD
> <<EOF
> dn: uid=${TGI},ou=People,${DEST_SUFFIX}
> changetype: modify
> replace: userpassword
> userpassword: {SHA}v9KDMpMQgX13LuXtmWzmSaIcNGM=
> EOF
>
> Note: Please note the {SHA} stuff in 'userpassword'.
>
> I cannot see how, using the changelog, RHDS can unencrypt the password
> from {SHA} so as to
> re-encode it in unicodePwd for sending to Active-Directory.
> unicodePwd: good link
> http://www.eyrie.org/~eagle/journal/2007-07/010.html
> <http://www.eyrie.org/%7Eeagle/journal/2007-07/010.html>
>
> My tests show that it doesn't work: After running the script I cannot
> login to Windows
> using my account/secret-password.
>
> If however, I change my script to use the password unencrypted
> (userpassword: secret-password) the propogation works again and I can
> log into my Windows client.
>
> Q1. Am I correct that it only works with RHDS front-ends that send the
> password unencrypted ?
Yes. SHA and other hashes are one way only - it is practically
impossible to convert a SHA hash to the original clear text password.
In addition, AD must have the clear text password sent to it in order
for it to generate its hashes and keys used for Windows authentication.
> Thanks,
>
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090116/679ad24c/attachment.bin>
More information about the Fedora-directory-users
mailing list