As part of discussion for ticket #2867, ability to convey the fact that users have no RC4-HMAC key in their kerberos keys and haven't yet changed their password is deemed important to optimize LDAP traffic in ipasam module.
Therefore, it would be good if password change code will take into account that ipaNTHash value may be set to 'DISABLE' by pre-mod op for ipaNTHash in case it doesn't see RC4-HMAC key.
'DISABLE' value can safely be overridden by password change code. Upon change, ipaNTHash attribute would then contain proper NT hash of the password.
Metadata Update from @abbra: - Issue assigned to simo - Issue set to the milestone: Future Releases
Login to comment on this ticket.