design for storing trusted domain passwords in ldap
Michael Adam
ma at sernet.de
Mon Jan 22 09:32:26 GMT 2007
On Sat, Jan 20, 2007 at 06:58:27PM +1100, Andrew Bartlett wrote:
> On Thu, 2007-01-18 at 23:57 +0100, Michael Adam wrote:
> > Do you think of storing the previous password (and maybe more
> > of the history) as an additional nt password attribute (or as
> > a sambaPasswordHistory attribute) of the sambaTrustedDomainPassword
> > object or rather as an object of its own like sambaTrustedDomainLastPassword
> > or even sambaTrustedDomainPasswordHistory?
>
> The password cannot be stored as an additional value in an existing
> attribute, as these are unsorted in LDAP. We will need a new LDAP
> attribute.
Er yes, sorry for being imprecise -- by saying "additional nt
password attribute" I did not mean (nor say ;-)
additional value to an existing attribute (sambaNTPassword) but
as an additional attibute of the same syntax but different name
(sambaLastNTPassword, say).
So there are four options that occur to me for realizing your
damand for storing (at least) the last password for a trusted
domain:
1) additional attribute sambaLastNTPassword in sambaTrustedDomainPassword
2) additional attribute sambaPasswordHistory (along with
sambaPwdHistoryLength) in sambaTrustedDomainPassword
3) separate object sambaTrustedDomainLastPassword
4) separate object sambaTrustedDomainPasswordHistory
The first two are more appealing to me, but maybe there are
good reasons to use separate objects?
Michael
More information about the samba-technical
mailing list