On Tue, 2010-05-25 at 05:11 +0200, email@example.com wrote: > > I've got a little challenge... > > > > there is an attribute in AD call msDS-KeyVersionNumber. In AD this > > operational attribute increments each time the unicodePwd attribute is > > updated. It is typically a small integer, being the number of times > > that the password has ever been changed. > > > > In Samba4, we maintain this by looking into our replication metadata > > (replPropertyMetaData), and returning a counter that is maintained > > there. > > > > I could maintain this manually from Samba's side (this is what we did in > > the past), but I wanted to first check if there was something already > > stored that I could convert. > > If I understand correctly what you're asking for, modifications of the > unicodePwd attribute should be accompanied by modify:increment of a > counter. Something like: > > dn: cn=someone > changetype: modify > replace: unicodePwd > unicodePwd:: <some value> > - > > should be transformed into > > dn: cn=someone > changetype: modify > replace: unicodePwd > unicodePwd:: <some value> > - > increment: msDS-KeyVersionNumber > msDS-KeyVersionNumber: 1 > - > > This way, the modification is atomic. As usual, this could be > accomplished by stacking an overlay that intercepts modifications to > specified attributes, like unicodePwd. > > Can you formalize this a little bit more? That's pretty much what I was looking for. The exact semantics don't matter too much, but this I need: - a 'small' monotonically increasing increasing integer - only increases for unicodePwd, not other updates. - always strictly related to the unicodePwd value it was incremented for (as it will be used as an abstract idenifier, along with the DN/samaccountname/etc to identify the secret unicodePwd value). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
Description: This is a digitally signed message part