[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: smbk5pwd and ppolicy working together
Ryan Steele wrote:
Hey Howard, Adam, and List:
I'm not even sure this is the path I ought to be going down. If
smbk5pwd has no knowledge of ppolicy, and password changes from Windows
clients won't adhere to those restrictions with any combination of
configuration options in any currently known universe, perhaps what I
really need is an alternate strategy. I'm open to suggestion; my only
requirements are that password changes from a Windows workstation be
subjected to the ppolicy constraints, and that the LDAP and Samba
passwords all be in sync.
However, here are the logs entries and relevant slapd configuration
options - pastings inline below:
Howard Chu wrote:
Ryan Steele wrote:
I realize that 'only' is what I want and that's what I'm using, however
I think smbk5pwd is working. The two snippets below are show the
differences after a Windows user changes his password (from the
ctrl+alt+delete menu):
Don't guess. Turn up the slapd debug level and show what it logs when
you perform the actual password change.
Note that although the logs seem to indicate (at least to my untrained
eyes) that access to userPassword, sambaLMPassword, and sambaNTPassword
is denied, Windows tells me it's been updated, and I can in fact log out
and log back in with the new password.
This is syslog output, not debug output. I said to bump up the debug level.
Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "userPassword" requested
The only other references I found to these attributes in the logs (which
are at loglevel 128) are:
Apr 3 07:27:00 ldapmaster slapd[1012]:<= root access granted
Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "sambaLMPassword" requested
Apr 3 07:27:00 ldapmaster slapd[1012]:<= root access granted
Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "sambaNTPassword" requested
As already mentioned, ppolicy doesn't restrict the rootDN. If you want your
policy constraints to work, you have to bind with some other DN to make the
changes. That will of course mean that you have to give that DN write access
to the selected attributes in your ACL.
Also, don't make us guess - post the relevant portion of your slapd
configuration.
include /etc/openldap/schema/ppolicy.schema
# Dynamic modules
moduleload smbk5pwd.la
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
# Overlays - ppolicy for enforcing password restrictions and smbk5pwd
for syncing LDAP and Samba passwords
overlay smbk5pwd
overlay ppolicy
ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
# ACL's
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
by self write
by * auth
access to *
by * read
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/