WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction

author Andrew Bartlett <abartlet@samba.org>

Thu, 20 Jul 2023 03:49:08 +0000 (15:49 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Fri, 21 Jul 2023 01:25:37 +0000 (01:25 +0000)
author Andrew Bartlett <abartlet@samba.org>
Thu, 20 Jul 2023 03:49:08 +0000 (15:49 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Fri, 21 Jul 2023 01:25:37 +0000 (01:25 +0000)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt

index 4254b0c2aaf16dd3901eb53f4f55a2cb8d20b5ab..17067eb7e27a616aaacf12b65cc531dcaad89506 100644 (file)
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -198,6 +198,18 @@ shell scripts around the client tools of MIT or Heimdal Kerberos.
  Samba's independently written python testsuite has been extended to
  validate KDC behaviour for PKINIT.
  
+Require encrypted connection to modify unicodePwd on the AD DC
+--------------------------------------------------------------
+
+Setting the password on an AD account on should never be attempted
+over a plaintext or signed-only LDAP connection.  If the unicodePwd
+(or userPassword) attribute is modified without encryption (as seen by
+Samba), the request will be rejected.  This is to encourage the
+administrator to use an encrypted connection in the future.
+
+NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
+the LDAP request will be regarded as plaintext.
+
  
  ================
  REMOVED FEATURES
author	Andrew Bartlett <abartlet@samba.org>
	Thu, 20 Jul 2023 03:49:08 +0000 (15:49 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Fri, 21 Jul 2023 01:25:37 +0000 (01:25 +0000)