[Devel] Synchronising Linux and Windows passwords

[Ragnar Wisløff <ragnar@xxxxxxxxxxxxx>]

I've got Samba doing updates of the LDAP userPassword attribute when a password 
change is initiated from a Windows client. However, this requires binding using 
the admin LDAP user and supplying the admin password. So far this is done in a 
Perl script and storing this admin password in clear text in the script. I don't 
like having the password stored like this. Is there another way? Is it somehow 
possible to access the password so that it is not visible?

This are the changes to smb.conf:

   unix password sync = yes
   passwd program = /etc/samba/ldapsync.pl %u
   passwd chat = *New*Password* %n\n *modifying*

And ldapsync.pl:

#!/usr/bin/perl -w

$user=$ARGV[0];
print "New Password:  ";
$pass=<STDIN>;
chomp $pass;

$salt=join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];

$pass=crypt($pass,$salt);

$FILE="|ldapmodify -x -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -w 
<super_secret_password_that_should_not_be_in_cleartext";

open FILE or die;

print FILE <<EOF;
dn: uid=$user,ou=people,dc=skole,dc=skolelinux,dc=no
changetype: modify
replace: userPassword
userPassword: {crypt}$pass
EOF
close FILE;

exit 0;


Any pointers anyone?

-- 
Ragnar Wisløff