* Modules in ldb will set all the appropriate
* hashes */
CHECK_RET(samdb_msg_add_string(ctx, mem_ctx, mod,
- "sambaPassword", new_pass));
+ "userPassword", new_pass));
} else {
/* We don't have the cleartext, so delete the old one
* and set what we have of the hashes */
- CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "sambaPassword"));
+ CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "userPassword"));
if (lmNewHash) {
CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "dBCSPwd", lmNewHash));
/* FIXME: I hink we should copy the tree and keep the original
* unmodified. SSS */
/* replace any attributes in the parse tree that are private,
- so we don't allow a search for 'sambaPassword=penguin',
+ so we don't allow a search for 'userPassword=penguin',
just as we would not allow that attribute to be returned */
switch (ac->user_type) {
case SECURITY_SYSTEM:
*
* Component: ldb local_password module
*
- * Description: correctly update hash values based on changes to sambaPassword and friends
+ * Description: correctly update hash values based on changes to userPassword and friends
*
* Author: Andrew Bartlett
*/
return ldb_next_request(module, req);
}
- /* TODO: remove this when sambaPassword will be in schema */
+ /* TODO: remove this when userPassword will be in schema */
if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
ldb_asprintf_errstring(module->ldb,
"Cannot relocate a password on entry: %s, does not have objectClass 'person'",
ac = talloc_get_type(h->private_data, struct lpdb_context);
/* if it is not an entry of type person this is an error */
- /* TODO: remove this when sambaPassword will be in schema */
+ /* TODO: remove this when these things are checked in the schema */
if (!ac->search_res) {
ldb_asprintf_errstring(ac->module->ldb,
"entry just modified (%s) not found!",
*
* Component: ldb password_hash module
*
- * Description: correctly update hash values based on changes to sambaPassword and friends
+ * Description: correctly update hash values based on changes to userPassword and friends
*
* Author: Andrew Bartlett
* Author: Stefan Metzmacher
/* If we have decided there is reason to work on this request, then
* setup all the password hash types correctly.
*
- * If the administrator doesn't want the sambaPassword stored (set in the
+ * If the administrator doesn't want the userPassword stored (set in the
* domain and per-account policies) then we must strip that out before
* we do the first operation.
*
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- /* If no part of this ADD touches the sambaPassword, or the NT
+ /* If no part of this ADD touches the userPassword, or the NT
* or LM hashes, then we don't need to make any changes. */
- sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
+ sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
}
/* if it is not an entry of type person its an error */
- /* TODO: remove this when sambaPassword will be in schema */
+ /* TODO: remove this when userPassword will be in schema */
if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
- /* check sambaPassword is single valued here */
- /* TODO: remove this when sambaPassword will be single valued in schema */
+ /* check userPassword is single valued here */
+ /* TODO: remove this when userPassword will be single valued in schema */
if (sambaAttr && sambaAttr->num_values > 1) {
- ldb_set_errstring(module->ldb, "mupltiple values for sambaPassword not allowed!\n");
+ ldb_set_errstring(module->ldb, "mupltiple values for userPassword not allowed!\n");
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
if (sambaAttr && sambaAttr->num_values == 0) {
- ldb_set_errstring(module->ldb, "sambaPassword must have a value!\n");
+ ldb_set_errstring(module->ldb, "userPassword must have a value!\n");
return LDB_ERR_CONSTRAINT_VIOLATION;
}
io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
- io.n.cleartext = samdb_result_string(msg, "sambaPassword", NULL);
+ io.n.cleartext = samdb_result_string(msg, "userPassword", NULL);
io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
/* remove attributes */
- if (io.n.cleartext) ldb_msg_remove_attr(msg, "sambaPassword");
+ if (io.n.cleartext) ldb_msg_remove_attr(msg, "userPassword");
if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
ldb_msg_remove_attr(msg, "pwdLastSet");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
+ sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
- /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't
+ /* If no part of this touches the userPassword OR unicodePwd and/or dBCSPwd, then we don't
* need to make any changes. For password changes/set there should
* be a 'delete' or a 'modify' on this attribute. */
if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
/* - remove any imodification to the password from the first commit
* we will make the real modification later */
- if (sambaAttr) ldb_msg_remove_attr(msg, "sambaPassword");
+ if (sambaAttr) ldb_msg_remove_attr(msg, "userPassword");
if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
}
/* if it is not an entry of type person this is an error */
- /* TODO: remove this when sambaPassword will be in schema */
+ /* TODO: remove this when userPassword will be in schema */
if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
ldb_set_errstring(ldb, "Object class violation");
talloc_free(ares);
io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
- io.n.cleartext = samdb_result_string(orig_msg, "sambaPassword", NULL);
+ io.n.cleartext = samdb_result_string(orig_msg, "userPassword", NULL);
io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
.type = MAP_IGNORE,
},
- /* sambaPassword */
+ /* userPassword */
{
- .local_name = "sambaPassword",
+ .local_name = "userPassword",
.type = MAP_IGNORE,
},
}
}
},
- {
- .local_name = "sambaPassword",
- .type = MAP_RENAME,
- .u = {
- .rename = {
- .remote_name = "userPassword"
- }
- }
- },
{
.local_name = "objectCategory",
.type = MAP_CONVERT,
}
}
},
- {
- .local_name = "sambaPassword",
- .type = MAP_RENAME,
- .u = {
- .rename = {
- .remote_name = "userPassword"
- }
- }
- },
{
.local_name = "objectCategory",
.type = MAP_CONVERT,
/* Passwords. Ensure there is no plaintext stored against
* this entry, as we only have hashes */
samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
- "sambaPassword");
+ "userPassword");
}
if (user->lm_password_present) {
samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg,
# now the real work
self.add({"dn": user_dn,
"sAMAccountName": username,
- "sambaPassword": password,
+ "userPassword": password,
"objectClass": "user"})
res = self.search(user_dn, scope=ldb.SCOPE_BASE,
setpw = """
dn: %s
changetype: modify
-replace: sambaPassword
-sambaPassword: %s
+replace: userPassword
+userPassword: %s
""" % (user_dn, password)
self.modify_ldif(setpw)
dn: CASE_INSENSITIVE
sAMAccountName: CASE_INSENSITIVE
objectClass: CASE_INSENSITIVE
-sambaPassword: HIDDEN
+userPassword: HIDDEN
krb5Key: HIDDEN
ntPwdHash: HIDDEN
sambaNTPwdHistory: HIDDEN
checkBaseOnSearch: TRUE
dn: @KLUDGEACL
-passwordAttribute: sambaPassword
+passwordAttribute: userPassword
passwordAttribute: ntPwdHash
passwordAttribute: sambaNTPwdHistory
passwordAttribute: lmPwdHash
operatingSystemVersion: 4.0
dNSHostName: ${DNSNAME}
isCriticalSystemObject: TRUE
-sambaPassword:: ${MACHINEPASS_B64}
+userPassword:: ${MACHINEPASS_B64}
servicePrincipalName: HOST/${DNSNAME}
servicePrincipalName: HOST/${NETBIOSNAME}
servicePrincipalName: HOST/${DNSNAME}/${REALM}
sAMAccountName: dns
servicePrincipalName: DNS/${DNSDOMAIN}
isCriticalSystemObject: TRUE
-sambaPassword:: ${DNSPASS_B64}
+userPassword:: ${DNSPASS_B64}
showInAdvancedViewOnly: TRUE
dn: ${SERVERDN}
accountExpires: 9223372036854775807
sAMAccountName: Administrator
isCriticalSystemObject: TRUE
-sambaPassword:: ${ADMINPASS_B64}
+userPassword:: ${ADMINPASS_B64}
dn: CN=Guest,CN=Users,${DOMAINDN}
objectClass: user
sAMAccountName: krbtgt
servicePrincipalName: kadmin/changepw
isCriticalSystemObject: TRUE
-sambaPassword:: ${KRBTGTPASS_B64}
+userPassword:: ${KRBTGTPASS_B64}
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
cn
dITContentRules
top
-#This shouldn't make it to the ldap server
-sambaPassword
#This should be provided by the LDAP server, only in our schema to permit provision
aci
#Skip ObjectClasses
top
#The memberOf plugin provides this attribute
memberOf
-#This shouldn't make it to the ldap server
-sambaPassword
#These conflict with OpenLDAP builtins
attributeTypes:samba4AttributeTypes
2.5.21.5:1.3.6.1.4.1.7165.4.255.7
#attributeSyntax: 2.5.5.10
#oMSyntax: 4
-dn: CN=sambaPassword,${SCHEMADN}
-objectClass: top
-objectClass: attributeSchema
-lDAPDisplayName: sambaPassword
-isSingleValued: FALSE
-systemFlags: 17
-systemOnly: TRUE
-schemaIDGUID: 87F10301-229A-4E69-B63A-998339ADA37A
-adminDisplayName: SAMBA-Password
-attributeID: 1.3.6.1.4.1.7165.4.1.5
-attributeSyntax: 2.5.5.5
-oMSyntax: 22
+#
+# Not used anymore
+#
+#dn: CN=sambaPassword,${SCHEMADN}
+#objectClass: top
+#objectClass: attributeSchema
+#lDAPDisplayName: sambaPassword
+#isSingleValued: FALSE
+#systemFlags: 17
+#systemOnly: TRUE
+#schemaIDGUID: 87F10301-229A-4E69-B63A-998339ADA37A
+#adminDisplayName: SAMBA-Password
+#attributeID: 1.3.6.1.4.1.7165.4.1.5
+#attributeSyntax: 2.5.5.5
+#oMSyntax: 22
#
# Not used anymore