README
1This directory contains a slapd overlay, smbk5pwd, that extends the
2PasswordModify Extended Operation to update Kerberos keys and Samba
3password hashes for an LDAP user.
4
5The Kerberos support is written for Heimdal using its hdb-ldap backend.
6If a PasswordModify is performed on an entry that has the krb5KDCEntry
7objectclass, then the krb5Key and krb5KeyVersionNumber will be updated
8using the new password in the PasswordModify request. Additionally, a
9new "{K5KEY}" password hash mechanism is provided. For krb5KDCEntries that
10have this hash specifier in their userPassword attribute, Simple Binds
11will be checked against the Kerberos keys of the Entry. No data is
12needed after the "{K5KEY}" hash specifier in the userPassword, it is
13looked up from the Entry directly.
14
15The Samba support is written using the Samba 3.0 LDAP schema. If a
16PasswordModify is performed on an entry that has the sambaSamAccount
17objectclass, then the sambaLMPassword, sambaNTPassword, and sambaPwdLastSet
18attributes will be updated accordingly.
19
20To use the overlay, add:
21
22 include <path to>/krb5-kdc.schema
23 include <path to>/samba.schema
24
25 moduleload <path to>smbk5pwd.so
26 ...
27
28 database bdb
29 ...
30 overlay smbk5pwd
31
32to your slapd configuration file. (You should obtain the necessary schema
33files from the Heimdal and/or Samba distributions. At this time, there
34are several known errors in these schema files that you will have to
35correct before they will load in slapd. As of Samba 3.0 the schema looks
36fine as shipped.)
37
38All modules compiled in (i.e. krb5 and samba) are enabled; the statement
39
40 smbk5pwd-enable <module>
41
42can be used to enable only the desired one(s); legal values for <module>
43are "krb5", "samba" and "shadow", if they are respectively enabled by defining
44DO_KRB5, DO_SAMBA and DO_SHADOW.
45
46The samba module also supports the
47
48 smbk5pwd-must-change <seconds>
49
50which sets the "sambaPwdMustChange" attribute accordingly to force passwd
51expiry. A value of 0 disables this feature.
52
53The overlay now supports table-driven configuration, and thus can be run-time
54loaded and configured via back-config. The layout of the entry is
55
56 # {0}smbk5pwd, {1}bdb, config
57 dn: olcOverlay={0}smbk5pwd,olcDatabase={1}bdb,cn=config
58 objectClass: olcOverlayConfig
59 objectClass: olcSmbK5PwdConfig
60 olcOverlay: {0}smbk5pwd
61 olcSmbK5PwdEnable: krb5
62 olcSmbK5PwdEnable: samba
63 olcSmbK5PwdMustChange: 2592000
64
65which enables both krb5 and samba modules with a password expiry time
66of 30 days.
67
68The provided Makefile builds both Kerberos and Samba support by default.
69You must edit the Makefile to insure that the correct include and library
70paths are used. You can change the DEFS macro if you only want one or the
71other of Kerberos or Samba support.
72
73This overlay is only set up to be built as a dynamically loaded module.
74On most platforms, in order for the module to be usable, all of the
75library dependencies must also be available as shared libraries.
76
77If you need to build the overlay statically, you will have to move it into the
78slapd/overlays directory and edit the Makefile and overlays.c to reference
79it. You will also have to define SLAPD_OVER_SMBK5PWD to SLAPD_MOD_STATIC,
80and add the relevant libraries to the main slapd link command.
81
82---
83This work is part of OpenLDAP Software <http://www.openldap.org/>.
84Copyright 2004-2011 The OpenLDAP Foundation.
85Portions Copyright 2004-2005 Howard Chu, Symas Corp. All rights reserved.
86
87Redistribution and use in source and binary forms, with or without
88modification, are permitted only as authorized by the OpenLDAP
89Public License.
90
91A copy of this license is available in the file LICENSE in the
92top-level directory of the distribution or, alternatively, at
93<http://www.OpenLDAP.org/license.html>.
94
95