new unicode_password ldb module
Andrew Bartlett
abartlet at samba.org
Wed Dec 28 08:45:23 GMT 2005
On Wed, 2005-12-28 at 19:34 +1100, Luke Howard wrote:
> >I thought about using supplementalCredentials, but I was worried that I
> >don't know what the format is. (I still haven't finished the crypto
> >work on DRSUAPI).
>
> Right, this is not an issue until you support replication. In the
> shipping version of XAD, we did pretty much the same thing as you.
>
> >We could rename our current unicodePwd -> userPassword, ntPwdHash ->
> >unicodePwd, lmPwdHash -> dBCSPwd and krb5Key ->
> >supplementalCredentials.
>
> Actually, backwards compatibility can get really ugly when you use
> the same attributes. So it's arguably better to use different ones.
I'll consider that quite seriously. It sounds like a good idea to move
our plaintext password from unicodePwd to userPassword.
> >The other interesting challenge in this are is how to implement the
> >'write to unicodePwd over LDAP', which has bizarre semantics (UCS2, with
> >" surrounding), which wouldn't normally fit well into our ldb interface.
>
> In XAD we have a plugin that, after validation, expands a modification
> of the unicodePwd attribute to a series of modifications of other
> attributes. You can probably do something with LDB, right?
If we didn't use unicodePwd for our internal operation, then doing this
in LDB should actually be pretty practical.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051228/7a7dc2b1/attachment.bin
More information about the samba-technical
mailing list