new unicode_password ldb module
Andrew Bartlett
abartlet at samba.org
Wed Dec 28 08:25:11 GMT 2005
On Wed, 2005-12-28 at 18:59 +1100, Luke Howard wrote:
> >By ensuring that the krb5key attribute is the only one we need to
> >retrieve, this also simplifies the run-time KDC logic. (The each value
> >of the multi-valued attribute is encoded as a 'Key' in ASN.1).
>
> FWIW, Active Directory uses three attributes to store keys: dBCSPwd
> (the LM hash), unicodePwd (the NT hash), and supplementalCredentials
> (everything else).
I thought about using supplementalCredentials, but I was worried that I
don't know what the format is. (I still haven't finished the crypto
work on DRSUAPI).
We could rename our current unicodePwd -> userPassword, ntPwdHash ->
unicodePwd, lmPwdHash -> dBCSPwd and krb5Key ->
supplementalCredentials.
The other interesting challenge in this are is how to implement the
'write to unicodePwd over LDAP', which has bizarre semantics (UCS2, with
" surrounding), which wouldn't normally fit well into our ldb interface.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051228/df57ad22/attachment.bin
More information about the samba-technical
mailing list