Samba, Openldap and authentication mechanisms
I would like somebody to clarify me the options I have to integrate a Samba fileserver running under Debian with openldap.
We have an openldap server that we manage with a custom web interface we developed. Users have unixAccount object class and their password is stored encrypted via SSH on the userPassword attribute.
As far as I understand, there are two options:
1) Set up samba as described everywhere and add to each user the sambaSamAccount object class and the sambaLMPassword and sambaNTPassword attributes. That would work perfectly but the problem I see is that both of these password attributes are like "clear text" because they are weakly encrypted and this would also force everyone to change his password.
2) Set up samba to authenticate against pam, having pam to work with ldap. Would be perfect but the problem is that it seems that you have to force the clients to not send the password encrypted, and in order to each client computer to do that, you will have to tweak its registry......
The only thing I want is to authenticate the password against the ldap instead of the smbpasswd file. Why the samba daemon can't just do a bind with the supplied password against the ldap server like postfix, courier-imap, etc,etc??
Do I have any other option or any way to workaround the problems described here?
Thanks for your time and help.