trying to correctly handle account passwords via ldap
Simo Sorce
simo.sorce at quest.com
Tue Mar 28 03:36:28 GMT 2006
On Tue, 2006-03-28 at 13:17 +1000, Andrew Bartlett wrote:
> On Mon, 2006-03-27 at 22:11 -0500, Simo Sorce wrote:
> > On Tue, 2006-03-28 at 12:47 +1000, Andrew Bartlett wrote:
>
> > Sure, I'm not for password lock in, I just want to be compatible.
>
> In LDAP, you only get what you ask for. I think this gives us great
> opportunities to provide administrators, without modification of
> binaries or low-level commands, the ability to access information they
> need.
>
> We can (and probably should) mark these as operational attributes, but I
> don't see any reason why we can't expose them. Perhaps you understand
> the compatibility problems better than I do.
>
> I think we will have plenty of extra logic in the replication
> implementation, that dealing with/mapping a few extra attributes won't
> be too hard (particularly if we use different names).
As long as we expose unicodePwd and dBCSPwd I have no problem in
optionally exposing other attributes, nor I really care if we want to go
through a process of mapping twice attributes that can easily be handled
in a compatible way.
I do not see why we should go through this mappings when we know the
correct formats anyway, it seem just unnecessary complications.
Simo.
More information about the samba-technical
mailing list