new unicode_password ldb module

Andrew Bartlett abartlet at
Wed Dec 28 08:45:23 GMT 2005

On Wed, 2005-12-28 at 19:34 +1100, Luke Howard wrote:
> >I thought about using supplementalCredentials, but I was worried that I
> >don't know what the format is.  (I still haven't finished the crypto
> >work on DRSUAPI).  
> Right, this is not an issue until you support replication. In the
> shipping version of XAD, we did pretty much the same thing as you.
> >We could rename our current unicodePwd -> userPassword, ntPwdHash ->
> >unicodePwd, lmPwdHash -> dBCSPwd and krb5Key ->
> >supplementalCredentials.  
> Actually, backwards compatibility can get really ugly when you use
> the same attributes. So it's arguably better to use different ones.

I'll consider that quite seriously.  It sounds like a good idea to move
our plaintext password from unicodePwd to userPassword. 

> >The other interesting challenge in this are is how to implement the
> >'write to unicodePwd over LDAP', which has bizarre semantics (UCS2, with
> >" surrounding), which wouldn't normally fit well into our ldb interface.
> In XAD we have a plugin that, after validation, expands a modification
> of the unicodePwd attribute to a series of modifications of other
> attributes. You can probably do something with LDB, right?

If we didn't use unicodePwd for our internal operation, then doing this
in LDB should actually be pretty practical.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list