Move from unicodePwd to userPassword?
Andrew Bartlett
abartlet at samba.org
Fri Dec 30 22:33:27 GMT 2005
On Sat, 2005-12-31 at 08:58 +1100, Luke Howard wrote:
> >> Also, you might want to use an attribute other than userPassword if you
> >> eventually want to support RFC 2307 (s. 5.3).
> >
> >Yes, I had meant to frame that as part of the question: Is there a
> >good, standard attribute name I should consider for this?
>
> For the cleartext password? None I can think of (except for userPassword,
> of course).
I might use sambaPassword then.
Thinking about who would read userPassword, it seems worthwhile to allow
ideas such as a NIS gateway (such as PADL's product) or just a
passwd/shadow export. So I'll look at populating this with an MD5 style
password.
> If LDAP clients will never see the attribute it doesn't really matter.
> You could even just use an OID. Or make it a Kerberos keytype and put
> it in krb5Key. The latter is a little more akin to AD, which uses the
> supplementalCredentials attribute to store a set of credentials tagged
> by security package.
I really don't like the idea of a bit, multivalued attribute from a
design point of view, but when we get to replication, we won't have much
choice.
Is there any public info around on the format of those attributes
internally, or describing the cryptographic wrapping? It seems odd that
there is so little interest in the security community in understanding
this...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051231/45aca53c/attachment.bin
More information about the samba-technical
mailing list