LanManager Hashes in OpenLDAP

To allow synchronization of user accounts between an existing Active Directory and a newly set up OpenLDAP server, the data contained in the Windows 2000 server has to be migrated to the Unix host first. Most of the information stored in Microsoft's Active Directory can be retrieved via LDAP. There is, however, one notable exception: user passwords or cryptographic hashes thereof. This information is only available through the Security Accounts Manager (SAM), a protected subsystem of Windows 2000 (and NT). A migration would thus require that new passwords are issued to all users. Fortunately a program called ``pwdump''^15.1 is available that can read the data stored in the SAM and export it to a text file. This file is in the format of SAMBA's /etc/smbpasswd file and contains a line for each account specifying account name, UID, LanManager and NT password hashes. To make use of these values in OpenLDAP a verification function for LanManger password hashes is needed.

OpenLDAP supports an extensible scheme to verify plain text passwords provided in an LDAP simple bind. The verification is implemented in the passwd.c module of liblutil. The server calls lutil_passwd to verify a password. This function takes three parameters:

passwd, the stored password,

cred, the credentials provided in simple bind,

schemes, an array of allowed schemes.

The value with which the provided password is compared is stored in the directory using the ``userPassword'' attribute. While this attribute was originally intended to hold only clear text passwords^15.2, its usage has been extended to store values derived from the actual passwords.^15.3

The syntax of the userPassword attribute is:

{scheme}hashvalue

Where scheme is the name of the hash algorithm used, and hashvalue the result of the application of the scheme algorithm to the password. OpenLDAP 2.0 supports crypt, MD5 and SHA (including salted versions). But support is not limited to cryptographic hash functions that store their secrets in the directory. Password verifiers can also make use of external sources. The following external schemes exist:

``unix'' uses the systems /etc/passwd file,

``sasl'' calls the Cyrus SASL library to verify a password,

``kerberos'' tries to get an initial ticket from a KDC.

To actually check a password, lutil_passwd iterates over the pw_schemes array that holds the names of the available schemes and pointers to the corresponding verification functions.

To support LanManager password hashes, a ``lanman'' scheme has been developed in the frame of this thesis. The hash_lanman function computes the hash according to [109, Appendix A.2 - A.4] which is then compared to the stored value in chk_lanman. A migration script in Perl that reads the output of pwdump and generates an LDIF file for import into the directory server has also been provided. These contributions have been submitted to the OpenLDAP project and have been incorporated to the head development branch.^15.4