samrValidatePassword samdb_set_password()
Andrew Bartlett
abartlet at samba.org
Tue Sep 29 15:57:52 MDT 2009
On Tue, 2009-09-29 at 10:21 +0200, Matthias Dieter Wallnöfer wrote:
> Hi tridge,
>
> the "samdb_set_password" call is currently a disaster in my eyes. The
> major part of the functionality should move to our "password_hash"
> module. This is strictly needed since without it the setting of
> passwords over LDB/LDAP doesn't enforce the policies (only those set
> over SAMR and kpasswd do at the moment).
Well, we could just have a new module call back to the existing code,
rather than try a major rework here.
> I started an experimental patch
> in a personal branch - but it needs testing and more rework.
>
> Very good to inform me about this "samrValidatePassword" call - I don't
> know what would be the best to implement this. One possibility would be
> to first add a temporary user account (I imagine that the "account"
> parameter is exactly the name for this one - a type of hash), try to set
> the password, let the password be checked by the "password_hash", delete
> this created account - and return the result.
I really don't think that's a good idea. We need a way (perhaps an
extended operation) to check this without doing writes to the DB.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090930/093374ad/attachment.pgp>
More information about the samba-technical
mailing list