Exposing password hashes to an LDAP client.

brendan powers brendan0powers at gmail.com
Sun Mar 20 13:06:00 MDT 2011

On Sat, Mar 19, 2011 at 6:24 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sat, 2011-03-19 at 10:07 +0100, Matthias Dieter Wallnöfer wrote:
>> Brendan,
>> you don't have to change the "password_hash" LDB module at all. Since on
>> LDAP search requests the password attributes are removed in the "acl"
>> LDB module you might only need to change some array named "password
>> attributes" or so.
>> But probably Nadya could help you more since she is the maintainer of
>> the "acl" module.
> The issue here is that brenden needs a sha1 hash, and we don't currently
> store that.  We certainly could have password_hash store an additional
> hash - otherwise, you would need to store and expose the plaintext.

What kind of hash is stored now?

> I would support such an optional extension - the main issue would be
> that all the DCs must be Samba4 and configured in the same way or it
> won't work.

This isn't a problem for me. I am only using 1 samba4 DC.

> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.

More information about the samba-technical mailing list