trying to correctly handle account passwords via ldap

Henrik Nordstrom henrik at
Wed Mar 29 09:05:49 GMT 2006

mån 2006-03-27 klockan 18:56 -0500 skrev Simo Sorce:

> I propose to save the three formats: clear, NT and LM in internal
> reserved attributes that are always filtered on output we may even chose
> to keep the current names (sambaPassword, ntPwdHash and lmPwdHash) or
> change them to something more indicative of the function.
> I propose:
> sambaPwdClearText
> sambaPwdNTHash
> sambaPwdLMHash
> As already stated these attributes should be considered internal and
> never exposed in our schema which should contain only the AD compatibile
> attributes. If our backend will (in some future) be a second ldap
> server, then THAT server will have a schema extension that will allow
> these 3 attributes.

Please also provide an option to not store the plaintext password at all
even if it was set via this attribute. In many environments the
plaintext password is considered very sensitive, much more so than the
domain controller itself.. This because users tend to reuse the same
password for many things outside the Windows world, and in such
environments a hacker being able to suck out the current passwords of
all users by simply cracking a Windows domain controller is not seen a
good thing..

This is actually a thing I like from the default AD password policies.
By default It does not store the plaintext password at all  unless the
administrator has explicitly enabled this, with a warning sign that this
may expose the users plaintext password..

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad
Url :

More information about the samba-technical mailing list