samrValidatePassword samdb_set_password()
Matthias Dieter Wallnöfer
mdw at samba.org
Tue Sep 29 15:34:01 MDT 2009
Hi tridge!
tridge at samba.org schrieb:
> Hi Matthias,
>
> > the "samdb_set_password" call is currently a disaster in my eyes. The
> > major part of the functionality should move to our "password_hash"
> > module.
>
> I don't think it should move to the ldb module, but parts of it should
> be called by the ldb module.
>
To be honest I don't like the actual "samdb_set_password" call at all -
if you consider my passwords private branch you notice a proposed
patchset (not tested enough yet). I cleaned up the "samdb_set_password"
call to really perform only the essential actions (basically a wrapper
as the "samdb_set_password" call for python) - that in detail means 1.)
to perform the LDB modifcation request with the password (not only the
creation of it like now - since I changed the behaviour to check it now
through the password_hash module), 2.) return of the dominfo structure
and the reject result (if any).
What I could do is to refactor those mentioned checks (which I
integrated for now in the "password_hash" module) in a samdb util call
(as proposed by you) - but I would like to see it called only from the
"password_hash" module itself and the "samrValidatePassword" call.
A call in "samdb_set_password" I see totally redundant. The same as you
would launch this function from the python "samdb_set_password" method.
(Only) The directory component should decide if the password fits for
all possible access methods (SAMR calls, kpasswd, LDB/LDAP, python
binding...) - since the AD itself is "the heart" of a AD DC. So we
remain clear and extensible.
Matthias
> > Very good to inform me about this "samrValidatePassword" call - I don't
> > know what would be the best to implement this. One possibility would be
> > to first add a temporary user account (I imagine that the "account"
> > parameter is exactly the name for this one - a type of hash), try to set
> > the password, let the password be checked by the "password_hash", delete
> > this created account - and return the result.
>
> Please don't do that!
>
> All we need is to take the core of the samdb_set_password() function
> and split it out into a samdb_validate_password() function. The
> samdb_validate_password() would not take an account name, and would
> just check the various password strength rules that
> samdb_set_password() currently checks, returning a NTSTATUS, plus a
> samr_RejectReason code.
>
> That function can then be called from the 3 places we need to do
> password strength testing:
>
> - from the password_hash ldb module
>
> - from samdb_set_password()
>
> - from samr_ValidatePassword()
>
> In general I like to keep our ldb modules simple, and call out to
> utility functions to do complex work like this.
>
> Cheers, Tridge
>
>
More information about the samba-technical
mailing list