Exposing password hashes to an LDAP client.
brendan powers
brendan0powers at gmail.com
Sun Mar 20 13:06:00 MDT 2011
On Sat, Mar 19, 2011 at 6:24 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sat, 2011-03-19 at 10:07 +0100, Matthias Dieter Wallnöfer wrote:
>> Brendan,
>>
>> you don't have to change the "password_hash" LDB module at all. Since on
>> LDAP search requests the password attributes are removed in the "acl"
>> LDB module you might only need to change some array named "password
>> attributes" or so.
>> But probably Nadya could help you more since she is the maintainer of
>> the "acl" module.
>
> The issue here is that brenden needs a sha1 hash, and we don't currently
> store that. We certainly could have password_hash store an additional
> hash - otherwise, you would need to store and expose the plaintext.
What kind of hash is stored now?
>
> I would support such an optional extension - the main issue would be
> that all the DCs must be Samba4 and configured in the same way or it
> won't work.
This isn't a problem for me. I am only using 1 samba4 DC.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
>
More information about the samba-technical
mailing list