The exop password change branch

Andrew Bartlett abartlet at
Thu Nov 18 03:56:07 MST 2010

On Thu, 2010-11-18 at 11:46 +0100, Matthias Dieter Wallnöfer wrote:
> Hi abartlet,
> Andrew Bartlett wrote:
> > Matthias,
> >
> > I thought you asked me recently to look at your extended password change
> > operation code, so I've looked over your 'exop' branch, and I have so
> > say, the code looks pretty good (and somehow simpler than I imagined).
> >
> > I would however like to comment on a few things, to make it even better:
> >
> > While it's great to have the extended op in the same module as the rest
> > of the password changes, it does mean that we go down the stack, then
> > back up again.  I wonder if it might be better to have a new module at
> > the top of the stack, so the process is clearer.
> >    
> Well, but there aren't so many modules, which implement extended 
> operations - therefore this shouldn't take too long. And I think this 
> really belongs in the "password_hash" module - well it's my personal 
> point of view.

It is more about structure than about speed.  What should the ACL module
do with extended operations?  If it is transformed into normal
modifications above the ACL module then no additional changes or
exceptions are required. 

> > The patch should also allow administrative password changes, where just
> > like on unicodePwd, the admin does not need to specify the old password.
> >    
> Probably you are right. Will look again into the code.
> > I couldn't find the ASN.1 code, which I think you were trying to ask me
> > (somewhere - I can't remember where) to look over.  Can you point me at
> > it?  I think this will be one of our first extended operations to be
> > decoded in the LDAP server, so you may need to set up some
> > infrastructure :-)
> >    
> The issue is that I really do understand nothing about ASN.1. Therefore 
> it would be great if someone could take over this part or give me some 
> tight instructions.

ASN.1 is deserving of it's nasty reputation.  I'll try and look at it
over the next day or so - remind me if I don't get to it by next week. 

BTW, thanks for getting to this!  This will be a very useful feature
once implemented. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list