From: Erik Persson [mailto:email@example.com]
Sent: Monday, November 12, 2001 2:10 PM
Subject: Re: RFC [Samba/NIS + LDAP]
* Pitfalls... Access control is fundamental, especially for the Windows
password hashes. You don't want these hashes to get sniffed from the
network either so use LDAPS (LDAP with SSL/TLS) whenever possible. By
the way: Can you set an ACL that allows a user to fetch an attribute
when using an SSL connection but not otherwise? Also, if you use Samba
and have any kind of debugging enabled the same hashes wind up in Sambas
access to dn="ou=People,dc=blech,dc=foo" attr=userPassword
by self ssf=128 write
by self peername="127\.0\.0\.1"
by anonymous auth
by * none
will only allow an authenticated user to change his password either over an SSL link or from localhost.