[30601] in Kerberos
Re: computer account change password with Windows 2008 domain
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Jan 7 15:04:51 2009
To: "Michael B Allen" <ioplex@gmail.com>
In-Reply-To: <78c6bd860901071145t5d4f2c2xec80cbd9560f5c29@mail.gmail.com>
(Michael B. Allen's message of "Wed\,
7 Jan 2009 14\:45\:38 -0500")
From: Russ Allbery <rra@stanford.edu>
Date: Wed, 07 Jan 2009 12:03:32 -0800
Message-ID: <87priyyjcb.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Michael B Allen" <ioplex@gmail.com> writes:
> Do you know if works when SASL confidentiality is used instead of TLS?
It does not. Microsoft's LDAP implementation requires TLS in order to
view or change the password attribute. I don't know of any technical
reason why SASL confidentiality wouldn't be sufficient (provided the
negotiated strength were high enough), but their implementation doesn't
appear to support this.
> Is there any method that works at all?
> I'm sure a lot of people would like know exactly what privacy
> establishment methods allow you to set unicodePwd over LDAP.
Under Windows 2008, so far as I can determine, the only supported way to
set unicodePwd over LDAP is to use password binds with TLS. I don't
believe this is intentional -- Microsoft acknowledges that it's a bug
rather than a design intention -- but as long as the bug is present, it
amounts to the same thing.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
