Author: abartlet Date: 2006-09-08 00:23:21 +0000 (Fri, 08 Sep 2006) New Revision: 18240
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=18240 Log: Make it clearer when we store the plaintext password. Store the plaintext password in userPassword in the LDAP backend so that the OpenLDAP server can use DIGEST-MD5. Andrew Bartlett Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/entryUUID.c branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/password_hash.c Changeset: Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/entryUUID.c =================================================================== --- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/entryUUID.c 2006-09-08 00:19:32 UTC (rev 18239) +++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/entryUUID.c 2006-09-08 00:23:21 UTC (rev 18240) @@ -215,6 +215,15 @@ } }, { + .local_name = "sambaPassword", + .type = MAP_RENAME, + .u = { + .rename = { + .remote_name = "userPassword" + } + } + }, + { .local_name = "allowedChildClassesEffective", .type = MAP_CONVERT, .u = { Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/password_hash.c =================================================================== --- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/password_hash.c 2006-09-08 00:19:32 UTC (rev 18239) +++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/password_hash.c 2006-09-08 00:23:21 UTC (rev 18240) @@ -88,6 +88,7 @@ }; struct domain_data { + BOOL store_cleartext; uint_t pwdProperties; uint_t pwdHistoryLength; char *dns_domain; @@ -535,7 +536,8 @@ return NULL; } - data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0); + data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0); + data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT; data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0); /* For a domain DN, this puts things in dotted notation */ @@ -692,6 +694,7 @@ /* if we have sambaPassword in the original message add the operatio on it here */ sambaAttr = ldb_msg_find_element(msg, "sambaPassword"); if (sambaAttr) { + unsigned int user_account_control; ret = add_password_hashes(ac->module, msg, 0); /* we can compute new password hashes from the unicode password */ if (ret != LDB_SUCCESS) { @@ -715,8 +718,10 @@ /* if both the domain properties and the user account controls do not permit * clear text passwords then wipe out the sambaPassword */ - if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) || - (!(ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) { + user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); + if (domain->store_cleartext && (user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { + /* Keep sambaPassword attribute */ + } else { ldb_msg_remove_attr(msg, "sambaPassword"); } } @@ -1022,8 +1027,10 @@ /* if the domain properties or the user account controls do not permit * clear text passwords then wipe out the sambaPassword */ - if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) || - (!(ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) { + if (domain->store_cleartext && + (ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { + /* Keep sambaPassword attribute */ + } else { ldb_msg_remove_attr(msg, "sambaPassword"); }