On Tue, 2010-05-25 at 05:11 +0200, masarati@aero.polimi.it wrote:
I've got a little challenge...
there is an attribute in AD call msDS-KeyVersionNumber. In AD this operational attribute increments each time the unicodePwd attribute is updated. It is typically a small integer, being the number of times that the password has ever been changed.
In Samba4, we maintain this by looking into our replication metadata (replPropertyMetaData), and returning a counter that is maintained there.
I could maintain this manually from Samba's side (this is what we did in the past), but I wanted to first check if there was something already stored that I could convert.
If I understand correctly what you're asking for, modifications of the unicodePwd attribute should be accompanied by modify:increment of a counter. Something like:
dn: cn=someone changetype: modify replace: unicodePwd unicodePwd:: <some value>
should be transformed into
dn: cn=someone changetype: modify replace: unicodePwd unicodePwd:: <some value>
increment: msDS-KeyVersionNumber msDS-KeyVersionNumber: 1
This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd.
Can you formalize this a little bit more?
That's pretty much what I was looking for. The exact semantics don't matter too much, but this I need: - a 'small' monotonically increasing increasing integer - only increases for unicodePwd, not other updates. - always strictly related to the unicodePwd value it was incremented for (as it will be used as an abstract idenifier, along with the DN/samaccountname/etc to identify the secret unicodePwd value).
Thanks,
Andrew Bartlett