trying to correctly handle account passwords via ldap

Simo Sorce simo.sorce at
Tue Mar 28 03:36:28 GMT 2006

On Tue, 2006-03-28 at 13:17 +1000, Andrew Bartlett wrote:
> On Mon, 2006-03-27 at 22:11 -0500, Simo Sorce wrote:
> > On Tue, 2006-03-28 at 12:47 +1000, Andrew Bartlett wrote:
> > Sure, I'm not for password lock in, I just want to be compatible.
> In LDAP, you only get what you ask for.  I think this gives us great
> opportunities to provide administrators, without modification of
> binaries or low-level commands, the ability to access information they
> need.
> We can (and probably should) mark these as operational attributes, but I
> don't see any reason why we can't expose them.  Perhaps you understand
> the compatibility problems better than I do.  
> I think we will have plenty of extra logic in the replication
> implementation, that dealing with/mapping a few extra attributes won't
> be too hard (particularly if we use different names).

As long as we expose unicodePwd and dBCSPwd I have no problem in
optionally exposing other attributes, nor I really care if we want to go
through a process of mapping twice attributes that can easily be handled
in a compatible way.
I do not see why we should go through this mappings when we know the
correct formats anyway, it seem just unnecessary complications.


More information about the samba-technical mailing list