Montag, 1. Oktober 2012

A small truth about Open Directory passwords...

We had a problem today, which gave me some insight in the way OD handles its passwords.

I created a new user in OD and, being based in Munich, made an Oktoberfest induced error.
(At least that's my excuse...)

I deleted the value of "Authenticaton Authority" in the Inspector window in the user account. I tried to fix that by copying over that attribute from another user. Seems to work, everything fine.

After a while, the user from which I copied the attribute showed up and complained that his password suddenly seemed to be invalid.  Hmm.
Maybe just a coincidence? I changed his password, seems to work, everything fine. Back the the headache.

Shortly after, the new user showed up, her password was broken now!
Ok, time for some research...

The open directory does not save the passwords in the ldap tree (as hash, hidden field, etc...) . Instead is utilises a secondary password service (kerberos) which holds and manages the password. The link to this password is established by the "Authentification Authority" field in the OD. It contains an ID that references the password in the service.

Copying the hash from one user to the next gave both users the same entry, and thus the same, linked password. The problem was solved as I deleted the complete entry "Authentification Authority" of the new user, and changed the password. The OD created a new entry in the ldap and the password service, and it really worked, finally everything fine.

...don't drink and root. ^_^


<edit>
A college found this on the web:
http://flylib.com/books/en/4.395.1.68/1/

It explains the relation beween LDAP, Kerberos and the Apple password service in detail. Interesting stuff.

It's from 2005 but seems to be correct in most regards. One thing that seems to be deprecated is the note that the change of a users password with kpasswd does not change the password in the Apple password service. Tried it, it does. (SL Server, ML Client)

________
Appendix:

Get the Last modification stamp of the users password (on the OD host):
sudo kadmin.local -q 'getprinc user@DOMAIN.COM'





Keine Kommentare:

Kommentar veröffentlichen