Re: NT/LM hash support for OpenLDAP

[Luke Howard <lukeh@PADL.COM>]

>Does anyone have a problem with adding the following to schema_prep.c
>(courtesy jerry@samba.org, according to the enterprise number)?
>attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
>        DESC 'LanManager Passwd'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
>
>attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
>        DESC 'NT Passwd'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

I think the "preferred" way to add a hash would be another
{auth,user}Password scheme, particularly given that there is
already LANMAN support. Although this wouldn't be compatible
with the incumbent SAMBA schema, it would avoid having to change
any of the backends.

My concern would be entrenching a SAMBA schema which is likely
to change as SAMBA evolves towards complete Active Directory
support. Of course, I have no authority on this matter, and
I'm not trying to discourage you :-) I would just think that
anything in schema_prep.c should be at least promulgated in
an IETF standard.

>Is there a better way to implement the exops in the backends - I've only
>had a quick look but it seems they're fairly manual (start transaction, get
>entry, etc.) where I'd probably rather be putting the code for each hash in
>one place and calling backend specific update functions.

Well, if you go with the above suggestion, you need only
modify libraries/liblutil/passwd.c.

regards,

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com