From samba-technical Sun Mar 20 19:06:00 2011 From: brendan powers Date: Sun, 20 Mar 2011 19:06:00 +0000 To: samba-technical Subject: Re: Exposing password hashes to an LDAP client. Message-Id: X-MARC-Message: https://marc.info/?l=samba-technical&m=130064796712010 On Sat, Mar 19, 2011 at 6:24 AM, Andrew Bartlett wrote: > On Sat, 2011-03-19 at 10:07 +0100, Matthias Dieter Wallnöfer wrote: >> Brendan, >> >> you don't have to change the "password_hash" LDB module at all. Since on >> LDAP search requests the password attributes are removed in the "acl" >> LDB module you might only need to change some array named "password >> attributes" or so. >> But probably Nadya could help you more since she is the maintainer of >> the "acl" module. > > The issue here is that brenden needs a sha1 hash, and we don't currently > store that.  We certainly could have password_hash store an additional > hash - otherwise, you would need to store and expose the plaintext. What kind of hash is stored now? > > I would support such an optional extension - the main issue would be > that all the DCs must be Samba4 and configured in the same way or it > won't work. This isn't a problem for me. I am only using 1 samba4 DC. > > Andrew Bartlett > > -- > Andrew Bartlett                                http://samba.org/~abartlet/ > Authentication Developer, Samba Team           http://samba.org > Samba Developer, Cisco Inc. > >