[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

To: Buchan Milne <bgmilne@gmail.com>
Subject: Re: smbk5pwd and ppolicy working together
From: Howard Chu <hyc@symas.com>
Date: Thu, 03 Apr 2008 15:25:33 -0700
Cc: Ryan Steele <rsteele@archer-group.com>, openldap-software@openldap.org
In-reply-to: <ee2832530804031215s635c40f4r94c3ad8c055c6af3@mail.gmail.com>
References: <47F27B2A.5060607@archer-group.com> <47F29112.3040909@archer-group.com> <1207085230.24284.44.camel@localhost> <47F2AB5A.2020401@archer-group.com> <1207145959.7936.13.camel@WM_ADAM1.morrison.iserv.net> <47F3BA17.3090205@archer-group.com> <47F491D0.8090001@symas.com> <47F4FEEE.80708@archer-group.com> <47F5072E.1030109@symas.com> <47F51F1C.70902@archer-group.com> <ee2832530804031215s635c40f4r94c3ad8c055c6af3@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b5pre) Gecko/2008030700 SeaMonkey/2.0a1pre

Buchan Milne wrote:

  Furthermore, if the above change is made so that ppolicy can evaluate
  the plaintext password, what exactly will the interaction between LDAP
  and the clients be if it fails to clear ppolicy constraints?


slapd will fail the operation, with a suitable error code and error
text. Whether samba will send a useful error to the client (so that
the client workstation displays an appropriate error message) is the
next question.

According to Thierry's post http://www.openldap.org/lists/openldap-software/200804/msg00066.html there's a problem there as well, but that's certainly a Samba or Windows issue, and nothing we can address in LDAP.

The third question is, what will happen to the samba password expiry
attributes, for both the case of changing via samba (should be fine)
and changing via ldap (won't be updated, samba passwords will still
appear to be expired). I also haven't had a chance to look at fixing
that (and again, the Heimdal equivalent also applies).

Current CVS smbk5pwd already takes care of these Samba attributes. What version are you looking at?

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Pat Riehecky <prieheck@iwu.edu>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: "Buchan Milne" <bgmilne@gmail.com>

Prev by Date: Re: smbk5pwd and ppolicy working together
Next by Date: Non-Ascii characters in certificateExactMatch
Index(es):
- Chronological
- Thread