On Tue, 2010-05-25 at 05:11 +0200, masarati@aero.polimi.it wrote:
I've got a little challenge...
there is an attribute in AD call msDS-KeyVersionNumber. In AD this operational attribute increments each time the unicodePwd attribute is updated. It is typically a small integer, being the number of times that the password has ever been changed.
In Samba4, we maintain this by looking into our replication metadata (replPropertyMetaData), and returning a counter that is maintained there.
I could maintain this manually from Samba's side (this is what we did
in
the past), but I wanted to first check if there was something already stored that I could convert.
If I understand correctly what you're asking for, modifications of the unicodePwd attribute should be accompanied by modify:increment of a counter. Something like:
dn: cn=someone changetype: modify replace: unicodePwd unicodePwd:: <some value>
should be transformed into
dn: cn=someone changetype: modify replace: unicodePwd unicodePwd:: <some value>
increment: msDS-KeyVersionNumber msDS-KeyVersionNumber: 1
This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd.
Can you formalize this a little bit more?
That's pretty much what I was looking for. The exact semantics don't matter too much, but this I need:
- a 'small' monotonically increasing increasing integer
- only increases for unicodePwd, not other updates.
- always strictly related to the unicodePwd value it was incremented
for (as it will be used as an abstract idenifier, along with the DN/samaccountname/etc to identify the secret unicodePwd value).
In contrib/slapd-modules/samba4/ there's now a vernum overlay (vernum.c, *very* experimental) that:
- defines the attribute msDS-KeyVersionNumber (with some changes) as
( 1.2.840.113556.1.4.1782 NAME 'msDS-KeyVersionNumber' DESC 'in the original specification the syntax is 2.5.5.9' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' EQUALITY integerMatch SINGLE-VALUE USAGE dSAOperation NO-USER-MODIFICATION )
I plan to define our own; name suggestions are welcome.
- expects 'unicodePwd' to be defined
- increments msDS-KeyVersionNumber any time unicodePwd is modified, or creates it with value '0' if an entry is added with unicodePwd
- "sanitizes" the database at startup, by creating msDS-KeyVersionNumber in existing entries that contain unicodePwd
I realize right now that it doesn't handle the case of a modify that actually adds the unicodePwd attribute; I'll deal with this shortly.
I plan to make both attrs configurable, so it may be useful in other cases. Right now all you need to do is instantiate the overlay
overlay vernum
and it'll use the default attrs.
p.