[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
--00504501586f17398e04868dddb7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
2010/5/14 Michael Str=F6der <michael@stroeder.com>
> online@mark.ziesemer.com wrote:
> > Full_Name: Mark A. Ziesemer
> > Version: 2.4.21 / HEAD
> > OS: Ubuntu Linux
> > URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch
> > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
> >
> > Using the PasswordModify Extended Operation (exop) along with the
> smbk5pwd slapd
> > overlay provides several benefits, but does not currently include the
> > shadowLastChange attribute of the shadowAccount class. This means the
> > shadowLastChange is missed from update, unless specially done along wit=
h
> a
> > PasswordModify.
>
> While I agree that this could be useful in general I'd rather argue that
> for
> Samba 3 'sambaPwdLastSet' should be set.
>
sambaPwdLastSet is already handled by the "samba" portion of this overlay.
'shadowLastChange' is rather a POSIX account attribute which from my
> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could b=
e
> extended...
>
I guess I wouldn't have any objections if all the references to "shadow"
were renamed to "posix". However, the shadowLastChange attribute is part o=
f
the shadowAccount objectClass - with neither of these names referring to
POSIX.
I had considered a separate overlay. However, in terms of purpose, shared
code, functionality, and performance, it seems to make the most sense to
include this addition into the smbk5pwd overlay.
Both pam_ldap and the Samba client support use of exop password changes.
Additionally, pam_ldap doesn't appear to support hashing to SSHA (only MD5,
which is also the default) - so setting to "exop" also allows for a stronge=
r
hash of the password to be stored.
With the unpatched overlay, doing an exop password change updates
userPassword (used by POSIX), as well as all the Samba attributes:
sambaLMPassword, sambaNTPassword, and sambaPwdLastSet . This allows Samba
clients to use the updated password as well as seeing when the password was
last set, but POSIX clients do not see an updated shadowLastChange. This
patch adds support for the otherwise missing shadowLastChange, keeping
everything consistent.
There are many issues posted online with all the password attributes except
shadowLastChange getting updated. This patch should provide a solution for
many of these cases.
> Ciao, Michael.
>
--
Mark A. Ziesemer
www.ziesemer.com
--00504501586f17398e04868dddb7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">2010/5/14 Michael Str=F6der <span dir=3D"ltr">&l=
t;<a href=3D"mailto:michael@stroeder.com";>michael@stroeder.com</a>></spa=
n><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;=
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<a href=3D"mailto:online@mark.ziesemer.com";>online@mark.ziesemer.com</a> wr=
ote:<br>
> Full_Name: Mark A. Ziesemer<br>
> Version: 2.4.21 / HEAD<br>
> OS: Ubuntu Linux<br>
> URL: <a href=3D"ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc=
h" target=3D"_blank">ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc=
h</a><br>
> Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)<br>
><br>
> Using the PasswordModify Extended Operation (exop) along with the smbk=
5pwd slapd<br>
> overlay provides several benefits, but does not currently include the<=
br>
> shadowLastChange attribute of the shadowAccount class. =A0This means t=
he<br>
> shadowLastChange is missed from update, unless specially done along wi=
th a<br>
> PasswordModify.<br>
<br>
While I agree that this could be useful in general I'd rather argue tha=
t for<br>
Samba 3 'sambaPwdLastSet' should be set.<br></blockquote><div><br>s=
ambaPwdLastSet is already handled by the "samba" portion of this =
overlay. <br><br></div><blockquote class=3D"gmail_quote" style=3D"margin: 0=
pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: =
1ex;">
'shadowLastChange' is rather a POSIX account attribute which from m=
y<br>
understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be<=
br>
extended...<br></blockquote><div><br>I guess I wouldn't have any object=
ions if all the references to "shadow" were renamed to "posi=
x".=A0 However, the shadowLastChange attribute is part of the shadowAc=
count objectClass - with neither of these names referring to POSIX.<br>
<br>I had considered a separate overlay.=A0 However, in terms of purpose, s=
hared code, functionality, and performance, it seems to make the most sense=
to include this addition into the smbk5pwd overlay.<br><br>Both pam_ldap a=
nd the Samba client support use of exop password=20
changes.=A0 Additionally, pam_ldap doesn't appear to support hashing to=
=20
SSHA (only MD5, which is also the default) - so setting to "exop"=
also=20
allows for a stronger hash of the password to be stored.<br>
<br>With the unpatched overlay, doing an exop password change updates userP=
assword (used by POSIX), as well as all the Samba attributes: sambaLMPasswo=
rd, sambaNTPassword, and sambaPwdLastSet .=A0 This allows Samba clients to =
use the updated password as well as seeing when the password was last set, =
but POSIX clients do not see an updated shadowLastChange.=A0 This patch add=
s support for the otherwise missing shadowLastChange, keeping everything co=
nsistent.<br>
=A0<br>There are many issues posted online with all the password attributes=
except shadowLastChange getting updated.=A0 This patch should provide a so=
lution for many of these cases.<br><br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204=
, 204); padding-left: 1ex;">
<br>
Ciao, Michael.<br></blockquote><div>=A0</div></div>--<br>Mark A. Ziesemer<b=
r><a href=3D"http://www.ziesemer.com";>www.ziesemer.com</a><br>
--00504501586f17398e04868dddb7--