Re: password API needed

Luke Kenneth Casson Leighton (lkcl@switchboard.net)
Tue, 12 May 1998 19:46:52 +0000 (GMT)

Date:	Tue, 12 May 1998 19:46:52 +0000 (GMT)
From:	Luke Kenneth Casson Leighton <lkcl@switchboard.net>
To:	Jean-Francois Micouleau <Jean-Francois.Micouleau@utc.fr>
Subject: Re: password API needed
In-Reply-To: <Pine.OSF.3.95.980512194444.14449E-100000@kappa.utc.fr>

On Tue, 12 May 1998, Jean-Francois Micouleau wrote:
> > then we will need to put the 16 byte hashes in, not the plain-text
> > password. this is because the plain-text password, in the above
> > scenarios, will not be available.
>
> You have to make the distinction between users and trusts accounts.

why? not in my book you don't, and not in an NT SAM you don't. trust
accounts _are_ SAM users, but just with a different ACB_xxxx value.

> If
> people go for ldap, it's because they probably want to have a single
> database to store password.

yep.

> > so, if i add "ntPwdHash" and "lmPwdHash" to the ldap schema, you know why
> > :-)
>
> I don't like it, I prefer to follow RFC2037.

wossat, then? what's that say (in a nutshell)

> {lmHash} and {ntHash} are not define in the RFC, it's something I just
> invented.
>
> crypted password are better defined in ldap v3, but Umich slapd server is
> ldap v2 only.

damn.

then we will have to invent / use what microsoft does, which is to
obfuscate with a long-term session key.