Exposing password hashes to an LDAP client.
Andrew Bartlett
abartlet at samba.org
Sat Mar 19 04:24:00 MDT 2011
On Sat, 2011-03-19 at 10:07 +0100, Matthias Dieter Wallnöfer wrote:
> Brendan,
>
> you don't have to change the "password_hash" LDB module at all. Since on
> LDAP search requests the password attributes are removed in the "acl"
> LDB module you might only need to change some array named "password
> attributes" or so.
> But probably Nadya could help you more since she is the maintainer of
> the "acl" module.
The issue here is that brenden needs a sha1 hash, and we don't currently
store that. We certainly could have password_hash store an additional
hash - otherwise, you would need to store and expose the plaintext.
I would support such an optional extension - the main issue would be
that all the DCs must be Samba4 and configured in the same way or it
won't work.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list