samrValidatePassword samdb_set_password()

[Matthias Dieter Wallnöfer]

Hi abartlet,

about your email regarding the password handling of s4: you answered on a older post. Please consider this one as my new view/plan for implementing it:

Hi tridge!

tridge at samba.org schrieb:
> Hi Matthias,
> 
>  > the "samdb_set_password" call is currently a disaster in my eyes. The  > major part of the functionality should move to our "password_hash"  > module.
> 
> I don't think it should move to the ldb module, but parts of it should
> be called by the ldb module.
>   
To be honest I don't like the actual "samdb_set_password" call at all - if you consider my passwords private branch you notice a proposed patchset (not tested enough yet). I cleaned up the "samdb_set_password" call to really perform only the essential actions (basically a wrapper as the "samdb_set_password" call for python) - that in detail means 1.) to perform the LDB modifcation request with the password (not only the creation of it like now - since I changed the behaviour to check it now through the password_hash module), 2.) return of the dominfo structure and the reject result (if any).
What I could do is to refactor those mentioned checks (which I integrated for now in the "password_hash" module) in a samdb util call (as proposed by you) - but I would like to see it called only from the "password_hash" module itself and the "samrValidatePassword" call.
A call in "samdb_set_password" I see totally redundant. The same as you would launch this function from the python "samdb_set_password"  method. (Only) The directory component should decide if the password fits for all possible access methods (SAMR calls, kpasswd, LDB/LDAP, python binding...) - since the AD itself is "the heart" of a AD DC. So we remain clear and extensible.

Matthias