From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 20 Jul 2023 03:49:08 +0000 (+1200)
Subject: WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction
X-Git-Tag: ldb-2.8.0~77
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e473cba0d3dd842a41789f5d61d8234db54d6b7;p=thirdparty%2Fsamba.git

WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4254b0c2aaf..17067eb7e27 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -198,6 +198,18 @@ shell scripts around the client tools of MIT or Heimdal Kerberos.
 Samba's independently written python testsuite has been extended to
 validate KDC behaviour for PKINIT.
 
+Require encrypted connection to modify unicodePwd on the AD DC
+--------------------------------------------------------------
+
+Setting the password on an AD account on should never be attempted
+over a plaintext or signed-only LDAP connection.  If the unicodePwd
+(or userPassword) attribute is modified without encryption (as seen by
+Samba), the request will be rejected.  This is to encourage the
+administrator to use an encrypted connection in the future.
+
+NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
+the LDAP request will be regarded as plaintext.
+
 
 ================
 REMOVED FEATURES