[ldapext] Samba and the password policy draft

Andrew Bartlett abartlet at samba.org
Tue Mar 9 04:00:35 GMT 2004

On Tue, 2004-03-09 at 13:51, Luke Howard wrote:
> >I'm wondering if there's something preventing the use of an NT/LM SASL
> >mechanism to perform an LDAP SASL bind. Novell is beginning to look at
> >doing just that and will contribute to the code if it's seen as
> >beneficial. If this were available, the password policy could still be
> >enforced by the LDAP server
> For the record, this exists and is supported by Active Directory -- it
> is the NTLM SASL mechanism. But, as Andrew pointed out, it buys you
> nothing with pass-through authentication.
> >Then for password modifications, there is RFC 3602. Do you think this
> >is sufficient to update these kinds of passwords? 
> In some cases you only have the user's keys, not their password. Perhaps
> a control could be defined that extended RFC 3062 to support setting
> keys.

Indeed, that would be useful.  Could direct setting of those attributes
be considered to be that operation?  That is already proposed as an
allowed way to change userPassword, I think.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040309/a2b8559d/attachment.bin

More information about the samba-technical mailing list