Full_Name: Quanah Gibson-Mount Version: 2.4.44 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) We should remove support for LANMAN hashes from OpenLDAP starting with the 2.5 release series.
changed notes moved from Incoming to Software Bugs
Hi, Is this just the support for LANMAN hashes of passwords in slapd? There seems to also be some stand alone support for samba LANMAN passwords in the smbk5pwd module. Cheers, Andy
Hi, I fixed/implemented this a while ago. I have uploaded a patch to ftp://ftp.openldap.org/incoming/andrew-lawrence-180429.patch With best regards, Dr Andrew Lawrence Siemens Rail Automation Holdings Limited MO MM R&D UK IXL 17 Langley Park Way Chippenham SN15 1GG, United Kingdom Tel.: +44 1249 441808 Mobile: +44 7921 248744 mailto:andrew.lawrence@siemens.com www.siemens.com/rail-automation www.siemens.com/ingenuityforlife Siemens Rail Automation Holdings Limited - registered office: Faraday House, Sir William Siemens Square, Frimley Camberley GU16 8QD. Registered No. 00016033
Hi, I've created a path for smbk5pwd to disable the insecure sambaLMPassword support by default. https://github.com/osstech-jp/openldap/commit/bba50bf6533d8f67dcbfc990b6b3161d22b4de85.patch https://github.com/osstech-jp/openldap/commit/bba50bf6533d8f67dcbfc990b6b3161d22b4de85 -- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: https://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA
Hello, On Thu, Feb 20, 2020 at 03:50:38PM +0000, fumiyas@osstech.co.jp wrote: >I've created a path for smbk5pwd to disable the insecure sambaLMPassword >support by default. Thanks for this patch. Are you aware of any scenarios where sambaLMPassword is actually required today? Personally I'm more inclined to just delete the code rather than #ifdef it; people can always grab the older code if they really need that.
On 2/28/20 8:40 PM, ryan@nardis.ca wrote: > Are you aware of any scenarios where > sambaLMPassword is actually required today? Personally I'm more inclined > to just delete the code rather than #ifdef it; people can always grab > the older code if they really need that. +1 for hunking out LANMAN hashes completely. Ciao, Michael.
I put up my WIP branch on github: https://github.com/openldap/openldap/compare/master...rtandy:its8639 Still need to finish testing smbk5pwd before I can push it.
For 2.5/master - Remove lanman hash support, update configure, etc fixed in master
changed notes changed state Open to Test
Tested smbk5pwd with Samba 4.9.5 (both openssl and gnutls). Works for me, so pushed to master now. Further testing would be appreciated.
commit d34d2c39457ac1d8b1896c17611e247f87abba55 Author: Ryan Tandy <ryan@nardis.ca> Date: Fri Feb 28 13:18:48 2020 -0800 ITS#8639 Delete LM hash support from smbk5pwd commit 0de74408f2f33e252a71aa9dd39b71fb8b888dd1 Author: Ryan Tandy <ryan@nardis.ca> Date: Fri Feb 28 12:13:50 2020 -0800 ITS#8639 Regenerate configure and portable.hin commit 6f5cc45f93c8c4f15b258c63db3d5da8995a4904 Author: Andrew Lawrence <andrew.lawrence@siemens.com> Date: Fri Feb 9 23:32:28 2018 +0000 ITS#8639 remove LANMAN hashed passwords