Exposing password hashes to an LDAP client.

Andrew Bartlett abartlet at samba.org
Sat Mar 19 04:24:00 MDT 2011

On Sat, 2011-03-19 at 10:07 +0100, Matthias Dieter Wallnöfer wrote:
> Brendan,
> you don't have to change the "password_hash" LDB module at all. Since on 
> LDAP search requests the password attributes are removed in the "acl" 
> LDB module you might only need to change some array named "password 
> attributes" or so.
> But probably Nadya could help you more since she is the maintainer of 
> the "acl" module.

The issue here is that brenden needs a sha1 hash, and we don't currently
store that.  We certainly could have password_hash store an additional
hash - otherwise, you would need to store and expose the plaintext.  

I would support such an optional extension - the main issue would be
that all the DCs must be Samba4 and configured in the same way or it
won't work. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list