trying to correctly handle account passwords via ldap

Andrew Bartlett abartlet at
Wed Mar 29 09:41:02 GMT 2006

On Wed, 2006-03-29 at 11:05 +0200, Henrik Nordstrom wrote:
> mån 2006-03-27 klockan 18:56 -0500 skrev Simo Sorce:
> > I propose to save the three formats: clear, NT and LM in internal
> > reserved attributes that are always filtered on output we may even chose
> > to keep the current names (sambaPassword, ntPwdHash and lmPwdHash) or
> > change them to something more indicative of the function.
> > I propose:
> > sambaPwdClearText
> > sambaPwdNTHash
> > sambaPwdLMHash
> > 
> > As already stated these attributes should be considered internal and
> > never exposed in our schema which should contain only the AD compatibile
> > attributes. If our backend will (in some future) be a second ldap
> > server, then THAT server will have a schema extension that will allow
> > these 3 attributes.
> Please also provide an option to not store the plaintext password at all
> even if it was set via this attribute. 

> This is actually a thing I like from the default AD password policies.
> By default It does not store the plaintext password at all  unless the
> administrator has explicitly enabled this, with a warning sign that this
> may expose the users plaintext password..

Yep, we follow the same default polices.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list