[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay trick



Dmitriy Kirhlarov wrote:
Hi, list.

The are several ways to implement password policy now -- shadowAccount
for pam, sambaAccountPolicy for samba and password policy overlay for
both.
All this are not perfect.
shadowAccount and sambaAccountPolicy can't block login to www, for
example, and they work on client side.
ppolicy overlay work fine, but, if password blocked, client, usualy,
haven't details.

My idea -- mapping ppolicy overlay rules to samba and shadow fields in
users dn on server side. Is it possible? If yes -- how?

You could probably write an overlay to intercept ppolicy updates and translate them into other attributes, but that would mostly be a waste of effort. PADL's pam_ldap already supports the ppolicy control, so if you use it you'll get all of the policy messages. (Except, see ITS#4528, which will be fixed in the 2.3.22 release.) So there's no reason to mess with the shadow attributes at all.


I recall that Andrew Bartlett was looking into making Samba cooperate with LDAP ppolicy too; I would chase that route instead of trying to map back and forth.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/