trying to correctly handle account passwords via ldap
simo
idra at samba.org
Tue Mar 28 00:39:11 GMT 2006
On Tue, 2006-03-28 at 10:32 +1000, Luke Howard wrote:
> >On a classic AD instead we have the following attributes:
> >
> >unicodePwd write only attribute the password is specified
> > as an ucs2 string enclosed in quotes
> >ntPwdHistory NT hash history
> >lmPwdHistory LM hash history
>
> Note that "classic" AD does not store the UCS-2 cleartext password in
> unicodePwd, even though it can be set that way. Rather, the NT OWF
> is stored in the unicodePwd attribute, and the LM OWF in dBCSPwd. Both
> these attributes are DES encrypted with the user's RID.
Do you mean that unicodePwd and dBCSPwd can be read out from an AD LDAP
server ?
I thought these were write only attributes.
> Package-specific credentials such as Kerberos keys and cleartext are
> stored in supplementalCredentials.
Is the format of supplmentalCredentials known ? Can it be read via
LDAP ?
Simo.
/trying to make our lbbsearch to work with SSL and without giving this
nice error:
Failed to bind - LDAP error 48 LDAP_INAPPROPRIATE_AUTHENTICATION -
<00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos
signing/sealing when using TLS/SSL, data 0, vece> <>
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list