[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Active Directory Password Cache



On Tue, Aug 07, 2007 at 08:50:37AM +0200, Buchan Milne wrote:
> 
> Would it not be better to just use the smbk5pwd overlay as well ?
> 

smbk5pwd hooks into the PasswordModify extended operation while adpwc
hooks into bind. So both address different situations.

> 
> Would it be possible to apply password expiry (using the local password policy 
> via ppolicy) as well ?
> 

Since adpwc does not perform pwdModify exop, I expect ppolicy to fail at
least some of its features.

> 
> Would it not be possible to use a non-default realm ?
> 

The overlay uses the krb(5)PrincipalName as given in the user object.
If it includes a realm, that is used.

> 
> Finally, would it be possible to provide any information on what is required 
> on the AD side for this to work (I assume some account for the OpenLDAP 
> server to use)?
> 

The current design intentionally has absolutely no requirements on the AD side.
The overlay does no server authentication. 


Regards,

  Sebastian