Michael Wisniewski wrote:

I'm just starting to jump into freeipa/ldap, and have another question
about it.  Basically, you have LDAP, which from everything I read, is
just a directory server.  It's sole purpose is like a phone book.
Integrated (or on top of) ldap, you can have authentication.  There's
kerberos, smb/ldap, etc...

Now, my question is when you add something like "smb/windows"
authentication, do you just add a field in LDAP so it stores the
password hashes (and other windows stuff)?  When you "extend" the
schema, is all you're doing is adding the fields to the ldap database
to allow the storage of this?  If this is the case, what prevents a
malicious user from dumping the hashes to the passwords?

Schema is sort of a 2-step process. Step 1 is to tell the directory server about the schema at all. This can be done offline by dropping a schema file into a filesystem directory or online by uploading the schema. Either way this just tells the LDAP server about the new objectclasses and attributes available and their syntaxes.

Step 2 is to add those objectclasses and attributes to entries. An objectclass tells which attributes are available to any entry, some of which are mandatory. Think of an objectclass as sort of a building block that adds more capabilities to an entry.

There are access controls that manage who can do what. A typical user can write their password but cannot read it (e.g. you can't see the hash(es)). A typical user cannot see anyone else's password info and can't write any other records.

I know this is really a basic question, but it would help me
understand how all this works.

IPA will eventually hide most of this sort of detail so you can focus on managing your users and not on dealing with attribute-level stuff.


Freeipa-users mailing list

Reply via email to