From 704327044d6f54129cef4706b572f1f4dc3ad36f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 8 Sep 2006 00:23:21 +0000 Subject: r18240: Make it clearer when we store the plaintext password. Store the plaintext password in userPassword in the LDAP backend so that the OpenLDAP server can use DIGEST-MD5. Andrew Bartlett (This used to be commit 1b02c604b2c55e1c9e15ac1f266e7df74d619dbd) --- source4/dsdb/samdb/ldb_modules/entryUUID.c | 9 +++++++++ source4/dsdb/samdb/ldb_modules/password_hash.c | 17 ++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) (limited to 'source4/dsdb/samdb') diff --git a/source4/dsdb/samdb/ldb_modules/entryUUID.c b/source4/dsdb/samdb/ldb_modules/entryUUID.c index 06e5384cff..d6f4b10d76 100644 --- a/source4/dsdb/samdb/ldb_modules/entryUUID.c +++ b/source4/dsdb/samdb/ldb_modules/entryUUID.c @@ -214,6 +214,15 @@ const struct ldb_map_attribute entryUUID_attributes[] = } } }, + { + .local_name = "sambaPassword", + .type = MAP_RENAME, + .u = { + .rename = { + .remote_name = "userPassword" + } + } + }, { .local_name = "allowedChildClassesEffective", .type = MAP_CONVERT, diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 9bdb9aa0cc..d8ef9176fd 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -88,6 +88,7 @@ struct ph_context { }; struct domain_data { + BOOL store_cleartext; uint_t pwdProperties; uint_t pwdHistoryLength; char *dns_domain; @@ -535,7 +536,8 @@ static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, return NULL; } - data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0); + data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0); + data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT; data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0); /* For a domain DN, this puts things in dotted notation */ @@ -692,6 +694,7 @@ static int password_hash_add_do_add(struct ldb_handle *h) { /* if we have sambaPassword in the original message add the operatio on it here */ sambaAttr = ldb_msg_find_element(msg, "sambaPassword"); if (sambaAttr) { + unsigned int user_account_control; ret = add_password_hashes(ac->module, msg, 0); /* we can compute new password hashes from the unicode password */ if (ret != LDB_SUCCESS) { @@ -715,8 +718,10 @@ static int password_hash_add_do_add(struct ldb_handle *h) { /* if both the domain properties and the user account controls do not permit * clear text passwords then wipe out the sambaPassword */ - if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) || - (!(ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) { + user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); + if (domain->store_cleartext && (user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { + /* Keep sambaPassword attribute */ + } else { ldb_msg_remove_attr(msg, "sambaPassword"); } } @@ -1022,8 +1027,10 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) { /* if the domain properties or the user account controls do not permit * clear text passwords then wipe out the sambaPassword */ - if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) || - (!(ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) { + if (domain->store_cleartext && + (ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { + /* Keep sambaPassword attribute */ + } else { ldb_msg_remove_attr(msg, "sambaPassword"); } -- cgit