We are using Samba as a user directory for our application. Passwords are stored in unicodePwd attribute, and our application resets passwords through LDAP (without the knowledge of the previous password, because it's an email-based reset). Unfortunately resetting it like this prevents the "password history" policy enforcement. This is a security problem that will come up on the first security audit. Microsoft recognised this is a problem and in Windows 2008 R2 SP1 introduced a supportedControl on RootDSE: LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such password history enforcement on LDAP password resets. Garming has suggested a way to approach this here: https://lists.samba.org/archive/samba/2016-July/201208.html
Created attachment 12283 [details] a work in progress patch for this This is a patch I knocked up for this. It passes our own tests, but I've not tested against windows yet. We may choose not to implement the _DEPRICATED OID in the end. It needs a tidy up regarding names etc, and to check the flags in the password_hash code.
Hi, Any comment on the patch? Does this seems valuable? Any plan to implement it? Thank you very much,
This turned out to be a bit more complex than we imagined, so it never made it in. I can't remember the details, I expect it didn't actually pass our own tests.