[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay trick

To: "Howard Chu" <hyc@symas.com>
Subject: Re: ppolicy overlay trick
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Fri, 12 May 2006 12:13:15 +0200 (CEST)
Cc: "Dmitriy Kirhlarov" <dkirhlarov@oilspace.com>, openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <446457D7.5070009@symas.com>
References: <20060511082400.GA1444@dimma.mow.oilspace.com> <446457D7.5070009@symas.com>
User-agent: SquirrelMail/1.4.3a-1

> Dmitriy Kirhlarov wrote:
>> Hi, list.
>>
>> The are several ways to implement password policy now -- shadowAccount
>> for pam, sambaAccountPolicy for samba and password policy overlay for
>> both.
>> All this are not perfect.
>> shadowAccount and sambaAccountPolicy can't block login to www, for
>> example, and they work on client side.
>> ppolicy overlay work fine, but, if password blocked, client, usualy,
>> haven't details.
>>
>> My idea -- mapping ppolicy overlay rules to samba and shadow fields in
>> users dn on server side. Is it possible? If yes -- how?
>
> You could probably write an overlay to intercept ppolicy updates and
> translate them into other attributes, but that would mostly be a waste
> of effort. PADL's pam_ldap already supports the ppolicy control, so if
> you use it you'll get all of the policy messages. (Except, see ITS#4528,
> which will be fixed in the 2.3.22 release.) So there's no reason to mess
> with the shadow attributes at all.
>
> I recall that Andrew Bartlett was looking into making Samba cooperate
> with LDAP ppolicy too; I would chase that route instead of trying to map
> back and forth.

If you use php, or use any of the tons of web-based php tools that access
LDAP, I've patched php (HEAD, but the patch used to neatly apply to php 5
and 4) to allow handling of extended operations and control responses (the
braindead, old LDAP API of php barely allows basic operations and doesn't
give any access to responses; the fact that a patch to HEAD applies two
major versions behind indicates how much development occurred).

I needed that to implement password modify and to access password policy
responses from php clients.  If this would ever get integrated (apparently
php developers are even less inclined to external contributions then
OpenLDAP's ;), I'd expect password policy responses to be handled by all
web-based php applications that directly deal with LDAP and auth.

p.

Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- ppolicy overlay trick
  - From: Dmitriy Kirhlarov <dkirhlarov@oilspace.com>
- Re: ppolicy overlay trick
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: ppolicy overlay trick
Next by Date: Re: several LDAPServers working with one Database
Index(es):
- Chronological
- Thread