On Mon, 2006-01-02 at 05:39 -0800, Howard Chu wrote:
As suggested, you could use a regular Bind operation to update the
authentication state in the auxprop "done" method. As long as the done
method is called in all cases, the lookup method doesn't need to trigger
any updates, and the only extension we need is to define the ppolicy
control behavior when accompanying a Search. I think this is a
relatively benign change and ought to be rolled into draft-behera; it is
at least as relevant as the current support for Compare operations.
But how should this be handled if we don't store the plaintext. I
realise this isn't where Cyrus-SASL is heading, but Samba traditionally
only stores the NT and LM hashes. For the Samba4 work, storage of what
windows calls the 'reversibly encrypted password' is optional, and I
would hate for LDAP-based password policy to rely on it.