[s4] Passwords work

Andrew Bartlett abartlet at samba.org
Sun Feb 21 20:38:49 MST 2010 

On Sun, 2010-02-21 at 23:04 +0100, Matthias Dieter Wallnöfer wrote:
> In my personal repo under the "passwords" branch I finally completed the 
> work regarding the LDAP password handling for s4.
> I spoke already once to abartlet and he gave me some suggestions which I 
> implemented (eg the additional controls - one for returning password 
> policy information, one for allowing password changes/sets only through 
> hashes - which bypasses some checks). In addition I have finished a 
> python test suite (passwords.py) which shows the password handling 
> capabilities directly over LDAP (indirectly we have it already through 
> the SAMR password tests).
> 
> I tried to match the LDAP result codes of Windows as much as possible. I 
> was stuck to run the my test script against Windows since it requires a 
> LDAPS over SSL connection and I didn't know how to get this working on 
> s4 as a client.

It should just require that you use ldaps:// at the front of the URL.
Also, it no longer just requires SSL, if the connection is encrypted
with GSSAPI, then that should work too.  

But my biggest concern is that I can't see how you have set up proper
access control to these attributes.  How do you ensure that users can do
password changes, but only administrators can do a password reset?

I also wonder if it's best to use XXXXX and YYYY for dummy values, to
try and prove you can't change certain values.  It may be valuable to
use values that would otherwise by semantically correct. 

But overall I'm very impressed, and I look forward to reviewing this
more - we critically need this work. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100222/dcd27207/attachment.pgp>

More information about the samba-technical mailing list