[sork] passwd: using multiple backends simultaneously

[Jared]

After more digging, I came up with a solution that works, using the 
suggestion to have the ldap backend update all three passwords.

I found a few utilities that would generate lm and nt password hashes 
from a cleartext password.  Unfortunately, I haven't found a PHP native 
one, although I've seen references that suggest that one may exist.

So to get around this, the LDAP driver does a system call to the 
utility.

I ended up using one called mkntpwd.  I found it here:
http://demog.berkeley.edu/~aperrin/tips/src/mkntpwd.tar.gz

It simply takes a cleartext password as an argument and generates lm 
and nt password hashes.

As the ldap backend is generating the crypt password, I also made it 
run mkntpwd to generate the lm and nt password hasehs, store them along 
with the crypt password in the $newDetails array.  All the changes get 
sent with the existing ldap_mod_replace function call.

Here's what the chunk of code in ldap.php use to look like:
========================================================================

// change the user's password
$newDetails['userPassword'] = $this->encryptPassword($newPassword);
$res = ldap_mod_replace($this->_ds, $userdn, $newDetails);
if (!$res) {
     $res = PEAR::raiseError(ldap_error($this->_ds));
} else {
     $this->reset_credentials($username, $oldPassword, $newPassword);
}

========================================================================

Here's what I changed it to:
========================================================================

// change the user's passwords

// generate the unix password
$newDetails['userPassword'] = $this->encryptPassword($newPassword);

// generate the lm password
$lmcommand = "/usr/local/bin/mkntpwd -L $newPassword";
$newDetails['lmPassword'] = exec($lmcommand);

// generate the nt password
$ntcommand = "/usr/local/bin/mkntpwd -N $newPassword";
$newDetails['ntPassword'] = exec($ntcommand);

// update the LDAP password attributes
$res = ldap_mod_replace($this->_ds, $userdn, $newDetails);
if (!$res) {
     $res = PEAR::raiseError(ldap_error($this->_ds));
         } else {
     $this->reset_credentials($username, $oldPassword, $newPassword);
}

========================================================================

You obviously need to make sure the lmPassword and ntPassword 
attributes can be written to by the user.

This also works really well for us because users don't currently have 
any entries in their lmPassword and ntPassword fields. (We were using 
unencrypted passwords with Samba which means we have no smbpasswd file 
containing hashes.) Everyone will have to change their password once 
before they can mount their smb home drive, but there's really no other 
way around it.

Thanks for everyone's help.

-jared

On Monday, June 2, 2003, at 03:29  PM, Jared wrote:

>
> On Monday, June 2, 2003, at 02:02  PM, Eric Rostetter wrote:
>>> I am implementing an LDAP server which stores users unix passwords as
>>> well as LANmanager and NT passwords.  My hope is to use the horde
>>> passwd module to keep these in sync.  For example, when a user 
>>> changes
>>> their password all three LDAP attributes get updated at the same 
>>> time.
>>
>> If you can do that all in ldap, then it would be a fairly trivial
>> change to the ldap driver to accomplish it.
>
> Yes this seems like a simple and clean solution to the problem.  
> However, is there a simple way to generate a LAN Manager and NTLM 
> password hash?  I'm having trouble finding any details on how to 
> actually create them.