From online@mark.ziesemer.com Fri May 14 13:30:12 2010 From: online@mark.ziesemer.com To: openldap-bugs@openldap.org Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange Date: Fri, 14 May 2010 13:30:11 +0000 Message-ID: <201005141330.o4EDUBbx073526@boole.openldap.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2943830227320076547==" --===============2943830227320076547== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable --00504501586f17398e04868dddb7 Content-Type: text/plain; charset=3DISO-8859-1 Content-Transfer-Encoding: quoted-printable 2010/5/14 Michael Str=3DF6der > online(a)mark.ziesemer.com wrote: > > Full_Name: Mark A. Ziesemer > > Version: 2.4.21 / HEAD > > OS: Ubuntu Linux > > URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch > > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148) > > > > Using the PasswordModify Extended Operation (exop) along with the > smbk5pwd slapd > > overlay provides several benefits, but does not currently include the > > shadowLastChange attribute of the shadowAccount class. This means the > > shadowLastChange is missed from update, unless specially done along wit=3D h > a > > PasswordModify. > > While I agree that this could be useful in general I'd rather argue that > for > Samba 3 'sambaPwdLastSet' should be set. > sambaPwdLastSet is already handled by the "samba" portion of this overlay. 'shadowLastChange' is rather a POSIX account attribute which from my > understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could b=3D e > extended... > I guess I wouldn't have any objections if all the references to "shadow" were renamed to "posix". However, the shadowLastChange attribute is part o=3D f the shadowAccount objectClass - with neither of these names referring to POSIX. I had considered a separate overlay. However, in terms of purpose, shared code, functionality, and performance, it seems to make the most sense to include this addition into the smbk5pwd overlay. Both pam_ldap and the Samba client support use of exop password changes. Additionally, pam_ldap doesn't appear to support hashing to SSHA (only MD5, which is also the default) - so setting to "exop" also allows for a stronge=3D r hash of the password to be stored. With the unpatched overlay, doing an exop password change updates userPassword (used by POSIX), as well as all the Samba attributes: sambaLMPassword, sambaNTPassword, and sambaPwdLastSet . This allows Samba clients to use the updated password as well as seeing when the password was last set, but POSIX clients do not see an updated shadowLastChange. This patch adds support for the otherwise missing shadowLastChange, keeping everything consistent. There are many issues posted online with all the password attributes except shadowLastChange getting updated. This patch should provide a solution for many of these cases. > Ciao, Michael. > -- Mark A. Ziesemer www.ziesemer.com --00504501586f17398e04868dddb7 Content-Type: text/html; charset=3DISO-8859-1 Content-Transfer-Encoding: quoted-printable
2010/5/14 Michael Str=3DF6der &l=3D t;michael(a)stroeder.com><= /spa=3D n>
online(a)mark.ziesemer.com wr=3D ote:
> Full_Name: Mark A. Ziesemer
> Version: 2.4.21 / HEAD
> OS: Ubuntu Linux
> URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc= =3D h
> Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
>
> Using the PasswordModify Extended Operation (exop) along with the smbk=3D 5pwd slapd
> overlay provides several benefits, but does not currently include the<=3D br> > shadowLastChange attribute of the shadowAccount class. =3DA0This means t= =3D he
> shadowLastChange is missed from update, unless specially done along wi=3D th a
> PasswordModify.

While I agree that this could be useful in general I'd rather argue tha=3D t for
Samba 3 'sambaPwdLastSet' should be set.

s=3D ambaPwdLastSet is already handled by the "samba" portion of this =3D overlay.

'shadowLastChange' is rather a POSIX account attribute which from m=3D y
understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be<=3D br> extended...

I guess I wouldn't have any object=3D ions if all the references to "shadow" were renamed to "posi=3D x".=3DA0 However, the shadowLastChange attribute is part of the shadowAc= =3D count objectClass - with neither of these names referring to POSIX.

I had considered a separate overlay.=3DA0 However, in terms of purpose, s= =3D hared code, functionality, and performance, it seems to make the most sense=3D to include this addition into the smbk5pwd overlay.

Both pam_ldap a=3D nd the Samba client support use of exop password=3D20 changes.=3DA0 Additionally, pam_ldap doesn't appear to support hashing to= =3D =3D20 SSHA (only MD5, which is also the default) - so setting to "exop"=3D also=3D20 allows for a stronger hash of the password to be stored.

With the unpatched overlay, doing an exop password change updates userP=3D assword (used by POSIX), as well as all the Samba attributes: sambaLMPasswo=3D rd, sambaNTPassword, and sambaPwdLastSet .=3DA0 This allows Samba clients to = =3D use the updated password as well as seeing when the password was last set, =3D but POSIX clients do not see an updated shadowLastChange.=3DA0 This patch add= =3D s support for the otherwise missing shadowLastChange, keeping everything co=3D nsistent.
=3DA0
There are many issues posted online with all the password attributes= =3D except shadowLastChange getting updated.=3DA0 This patch should provide a so= =3D lution for many of these cases.


Ciao, Michael.
=3DA0
--
Mark A. Ziesemerwww.ziesemer.com
--00504501586f17398e04868dddb7-- --===============2943830227320076547==--