design for storing trusted domain passwords in ldap

Michael Adam ma at
Mon Jan 22 09:32:26 GMT 2007

On Sat, Jan 20, 2007 at 06:58:27PM +1100, Andrew Bartlett wrote:
> On Thu, 2007-01-18 at 23:57 +0100, Michael Adam wrote:
> > Do you think of storing the previous password (and maybe more
> > of the history) as an additional nt password attribute (or as 
> > a sambaPasswordHistory attribute) of the sambaTrustedDomainPassword
> > object or rather as an object of its own like sambaTrustedDomainLastPassword 
> > or even sambaTrustedDomainPasswordHistory?
> The password cannot be stored as an additional value in an existing
> attribute, as these are unsorted in LDAP.  We will need a new LDAP
> attribute.  

Er yes, sorry for being imprecise -- by saying "additional nt
password attribute" I did not mean (nor say ;-)
additional value to an existing attribute (sambaNTPassword) but
as an additional attibute of the same syntax but different name
(sambaLastNTPassword, say).

So there are four options that occur to me for realizing your
damand for storing (at least) the last password for a trusted

1) additional attribute sambaLastNTPassword in sambaTrustedDomainPassword
2) additional attribute sambaPasswordHistory (along with
   sambaPwdHistoryLength) in sambaTrustedDomainPassword
3) separate object sambaTrustedDomainLastPassword 
4) separate object sambaTrustedDomainPasswordHistory

The first two are more appealing to me, but maybe there are
good reasons to use separate objects?


More information about the samba-technical mailing list