- unicodePwd
- msSFU30Password
- unixUserPassword
- userPassword
The problem is these passwords don't sync automatically, which means an AD user can have different passwords for Unix and Windows.
1. unicodePwd (password for AD bind and Windows account)
Windows clients always use "unicodePwd" for their users, while other passwords are mainly for Unix accounts.
In a bind operation to AD, unicodePwd must be used. None of the other passwords works for a bind operation.
The unicodePwd attribute is never returned by an LDAP search.
To change unicodePwd, AD requires the connection is secure and meet the permission enforcement.
Usually, only the user itself can modify its own password and only administrators can reset a user's password.
2. userPassword (password for LDAP bind)
userPassword is the password used by most of the other LDAP servers except AD. Unfortunately, by default "userPassword" is disabled in AD, which means AD treats it like any other ordinary attributes rather than a password.
3. msSFU30Password (password for Unix account)
msSFU30Password was specially designed for Unix account. However, it was replaced by unixUserPassword later.
4. unixUserPassword (password for Unix account)
unixUserPassword is used for store password for Unix user. It's used when a user has different passwords for Windows and Unix.
5. Best solution
I really think the best way is to use only one password for one user on everything. And that way the only possible option is "unicodePwd".
Since unicodePwd cannot be read by anyone at any time, the only way we can use it is to let the AD do the authentication for us. That means a successful AD bind can make sure that the user is authenticated.
No comments:
Post a Comment