new unicode_password ldb module

Luke Howard lukeh at
Wed Dec 28 08:34:08 GMT 2005

>I thought about using supplementalCredentials, but I was worried that I
>don't know what the format is.  (I still haven't finished the crypto
>work on DRSUAPI).  

Right, this is not an issue until you support replication. In the
shipping version of XAD, we did pretty much the same thing as you.

>We could rename our current unicodePwd -> userPassword, ntPwdHash ->
>unicodePwd, lmPwdHash -> dBCSPwd and krb5Key ->

Actually, backwards compatibility can get really ugly when you use
the same attributes. So it's arguably better to use different ones.

>The other interesting challenge in this are is how to implement the
>'write to unicodePwd over LDAP', which has bizarre semantics (UCS2, with
>" surrounding), which wouldn't normally fit well into our ldb interface.

In XAD we have a plugin that, after validation, expands a modification
of the unicodePwd attribute to a series of modifications of other
attributes. You can probably do something with LDB, right?


-- Luke


More information about the samba-technical mailing list