samrValidatePassword samdb_set_password()
tridge at samba.org
tridge at samba.org
Tue Sep 29 15:02:38 MDT 2009
Hi Matthias,
> the "samdb_set_password" call is currently a disaster in my eyes. The
> major part of the functionality should move to our "password_hash"
> module.
I don't think it should move to the ldb module, but parts of it should
be called by the ldb module.
> Very good to inform me about this "samrValidatePassword" call - I don't
> know what would be the best to implement this. One possibility would be
> to first add a temporary user account (I imagine that the "account"
> parameter is exactly the name for this one - a type of hash), try to set
> the password, let the password be checked by the "password_hash", delete
> this created account - and return the result.
Please don't do that!
All we need is to take the core of the samdb_set_password() function
and split it out into a samdb_validate_password() function. The
samdb_validate_password() would not take an account name, and would
just check the various password strength rules that
samdb_set_password() currently checks, returning a NTSTATUS, plus a
samr_RejectReason code.
That function can then be called from the 3 places we need to do
password strength testing:
- from the password_hash ldb module
- from samdb_set_password()
- from samr_ValidatePassword()
In general I like to keep our ldb modules simple, and call out to
utility functions to do complex work like this.
Cheers, Tridge
More information about the samba-technical
mailing list