trying to correctly handle account passwords via ldap
abartlet at samba.org
Wed Mar 29 09:41:02 GMT 2006
On Wed, 2006-03-29 at 11:05 +0200, Henrik Nordstrom wrote:
> mån 2006-03-27 klockan 18:56 -0500 skrev Simo Sorce:
> > I propose to save the three formats: clear, NT and LM in internal
> > reserved attributes that are always filtered on output we may even chose
> > to keep the current names (sambaPassword, ntPwdHash and lmPwdHash) or
> > change them to something more indicative of the function.
> > I propose:
> > sambaPwdClearText
> > sambaPwdNTHash
> > sambaPwdLMHash
> > As already stated these attributes should be considered internal and
> > never exposed in our schema which should contain only the AD compatibile
> > attributes. If our backend will (in some future) be a second ldap
> > server, then THAT server will have a schema extension that will allow
> > these 3 attributes.
> Please also provide an option to not store the plaintext password at all
> even if it was set via this attribute.
> This is actually a thing I like from the default AD password policies.
> By default It does not store the plaintext password at all unless the
> administrator has explicitly enabled this, with a warning sign that this
> may expose the users plaintext password..
Yep, we follow the same default polices.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060329/60e7633e/attachment.bin
More information about the samba-technical