[Patch] myldap-pub.py

Thu Aug 19 12:12:04 MDT 2010

Hi Lukasz,

Lukasz Zalewski wrote:
> I have noticed that when NTpassword is missing the new unicodePwd 
> element is set to None. However the account is not disabled, but it 
> does not have the empty password either. So does ldbadd process 
> generate some random password value if that attribute is missing? 
> Should the account be disabled during the import if password 
> information is missing?
do you speak from s4 or s3? On s4 I've implemented some restriction that 
you can't end without a password on a password set or change.  Code 
taken from "password_hash.c":
> 1901         /* refuse the change if someone tries to set/change the 
> password by
> 1902          * the lanman hash alone and we've deactivated that 
> mechanism. This
> 1903          * would end in an account without any password! */
> 1904         if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
> 1905 && (!io->n.nt_hash) && (!io->n.lm_hash)) {
> 1906                 ldb_asprintf_errstring(ldb,
> 1907                         "setup_io: "
> 1908                         "The password change/set operations 
> performed using the LAN Manager hash alone are deactivated!");
> 1909                 return LDB_ERR_UNWILLING_TO_PERFORM;
> 1910         }
If you have the lanman auth mechanism active and you provide only the 
lanman hash you are fine without restriction.

If you face an errorneous behaviour from your point of view then please 
inform us.

Matthias