summaryrefslogtreecommitdiffstats
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-09-08 00:23:21 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:17:53 -0500
commit704327044d6f54129cef4706b572f1f4dc3ad36f (patch)
treece000c738ce7be3f398403c1f8c500179a60c1ba /source4/dsdb/samdb
parentef54074392107dca5af9bbdde611c9440e5fb688 (diff)
downloadsamba-704327044d6f54129cef4706b572f1f4dc3ad36f.tar.gz
samba-704327044d6f54129cef4706b572f1f4dc3ad36f.tar.xz
samba-704327044d6f54129cef4706b572f1f4dc3ad36f.zip
r18240: Make it clearer when we store the plaintext password.
Store the plaintext password in userPassword in the LDAP backend so that the OpenLDAP server can use DIGEST-MD5. Andrew Bartlett (This used to be commit 1b02c604b2c55e1c9e15ac1f266e7df74d619dbd)
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/entryUUID.c9
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c17
2 files changed, 21 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/entryUUID.c b/source4/dsdb/samdb/ldb_modules/entryUUID.c
index 06e5384cffc..d6f4b10d76c 100644
--- a/source4/dsdb/samdb/ldb_modules/entryUUID.c
+++ b/source4/dsdb/samdb/ldb_modules/entryUUID.c
@@ -215,6 +215,15 @@ const struct ldb_map_attribute entryUUID_attributes[] =
}
},
{
+ .local_name = "sambaPassword",
+ .type = MAP_RENAME,
+ .u = {
+ .rename = {
+ .remote_name = "userPassword"
+ }
+ }
+ },
+ {
.local_name = "allowedChildClassesEffective",
.type = MAP_CONVERT,
.u = {
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 9bdb9aa0cc5..d8ef9176fdc 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -88,6 +88,7 @@ struct ph_context {
};
struct domain_data {
+ BOOL store_cleartext;
uint_t pwdProperties;
uint_t pwdHistoryLength;
char *dns_domain;
@@ -535,7 +536,8 @@ static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx,
return NULL;
}
- data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0);
+ data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
+ data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
/* For a domain DN, this puts things in dotted notation */
@@ -692,6 +694,7 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
/* if we have sambaPassword in the original message add the operatio on it here */
sambaAttr = ldb_msg_find_element(msg, "sambaPassword");
if (sambaAttr) {
+ unsigned int user_account_control;
ret = add_password_hashes(ac->module, msg, 0);
/* we can compute new password hashes from the unicode password */
if (ret != LDB_SUCCESS) {
@@ -715,8 +718,10 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
/* if both the domain properties and the user account controls do not permit
* clear text passwords then wipe out the sambaPassword */
- if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
- (!(ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
+ user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+ if (domain->store_cleartext && (user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
+ /* Keep sambaPassword attribute */
+ } else {
ldb_msg_remove_attr(msg, "sambaPassword");
}
}
@@ -1022,8 +1027,10 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) {
/* if the domain properties or the user account controls do not permit
* clear text passwords then wipe out the sambaPassword */
- if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
- (!(ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
+ if (domain->store_cleartext &&
+ (ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
+ /* Keep sambaPassword attribute */
+ } else {
ldb_msg_remove_attr(msg, "sambaPassword");
}