Date: Tue, 12 May 1998 19:46:52 +0000 (GMT) From: Luke Kenneth Casson Leighton <lkcl@switchboard.net> To: Jean-Francois Micouleau <Jean-Francois.Micouleau@utc.fr> Subject: Re: password API needed In-Reply-To: <Pine.OSF.3.95.980512194444.14449E-100000@kappa.utc.fr>
On Tue, 12 May 1998, Jean-Francois Micouleau wrote:
> > then we will need to put the 16 byte hashes in, not the plain-text
> > password. this is because the plain-text password, in the above
> > scenarios, will not be available.
>
> You have to make the distinction between users and trusts accounts.
why? not in my book you don't, and not in an NT SAM you don't. trust
accounts _are_ SAM users, but just with a different ACB_xxxx value.
> If
> people go for ldap, it's because they probably want to have a single
> database to store password.
yep.
> > so, if i add "ntPwdHash" and "lmPwdHash" to the ldap schema, you know why
> > :-)
>
> I don't like it, I prefer to follow RFC2037.
wossat, then? what's that say (in a nutshell)
> {lmHash} and {ntHash} are not define in the RFC, it's something I just
> invented.
>
> crypted password are better defined in ldap v3, but Umich slapd server is
> ldap v2 only.
damn.
then we will have to invent / use what microsoft does, which is to
obfuscate with a long-term session key.