Move from unicodePwd to userPassword?

Andrew Bartlett abartlet at
Fri Dec 30 22:33:27 GMT 2005

On Sat, 2005-12-31 at 08:58 +1100, Luke Howard wrote:
> >> Also, you might want to use an attribute other than userPassword if you
> >> eventually want to support RFC 2307 (s. 5.3).
> >
> >Yes, I had meant to frame that as part of the question:  Is there a
> >good, standard attribute name I should consider for this?
> For the cleartext password? None I can think of (except for userPassword,
> of course).

I might use sambaPassword then.  

Thinking about who would read userPassword, it seems worthwhile to allow
ideas such as a NIS gateway (such as PADL's product) or just a
passwd/shadow export.  So I'll look at populating this with an MD5 style

> If LDAP clients will never see the attribute it doesn't really matter.
> You could even just use an OID. Or make it a Kerberos keytype and put
> it in krb5Key. The latter is a little more akin to AD, which uses the
> supplementalCredentials attribute to store a set of credentials tagged
> by security package.

I really don't like the idea of a bit, multivalued attribute from a
design point of view, but when we get to replication, we won't have much

Is there any public info around on the format of those attributes
internally, or describing the cryptographic wrapping?  It seems odd that
there is so little interest in the security community in understanding

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list