trying to correctly handle account passwords via ldap

simo idra at
Tue Mar 28 00:52:00 GMT 2006

On Mon, 2006-03-27 at 19:38 -0500, Alan DeKok wrote:
> Simo Sorce <simo.sorce at> wrote:
> > As already stated these attributes should be considered internal and
> > never exposed in our schema which should contain only the AD compatibile
> > attributes.
>   *Please* be careful with that.  Exposing the clear-text password or
> NT hash is of extreme importance to a large number of people.  Many
> would sacrifice "perfect" AD compatibility if it meant that they could
> access the password via some schema extension.

In that case we just need to make the schema extension available and
make them readable if the schema extension is in place.

>   This change could affect deployments with 10's of millions of users.
> Not Samba directly, but other applications that need the information
> AD has, and refuses to expose.  If Samba can expose the information AD
> won't, then Samba becomes *much* more useful to many, many, systems.


>   My $0.02 is that these 3 attributes are the number one thing needed
> by external applactions that AD doesn't export, but that Samba has.
> Support should not be "perhaps, maybe, some time later", but "as soon
> as possible", even it means AD schema extensions.

Don't worry, at the moment they are readable, and, in any case you will
be available to modify samba in whatever manner it please you even if we
decide this not to be the default behavior for some reason :-)


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at

More information about the samba-technical mailing list