Re: smbk5pwd and ppolicy working together

[Howard Chu <hyc@symas.com>]

Ryan Steele wrote:
> Hey Howard, Adam, and List:
>
> I'm not even sure this is the path I ought to be going down.  If
> smbk5pwd has no knowledge of ppolicy, and password changes from Windows
> clients won't adhere to those restrictions with any combination of
> configuration options in any currently known universe, perhaps what I
> really need is an alternate strategy.  I'm open to suggestion; my only
> requirements are that password changes from a Windows workstation be
> subjected to the ppolicy constraints, and that the LDAP and Samba
> passwords all be in sync.
>
> However, here are the logs entries and relevant slapd configuration
> options - pastings inline below:
>
> Howard Chu wrote:
> > Ryan Steele wrote:
> > > I realize that 'only' is what I want and that's what I'm using, however
> > > I think smbk5pwd is working.  The two snippets below are show the
> > > differences after a Windows user changes his password (from the
> > > ctrl+alt+delete menu):
> > Don't guess. Turn up the slapd debug level and show what it logs when
> > you perform the actual password change.
> Note that although the logs seem to indicate (at least to my untrained
> eyes) that access to userPassword, sambaLMPassword, and sambaNTPassword
> is denied, Windows tells me it's been updated, and I can in fact log out
> and log back in with the new password.

This is syslog output, not debug output. I said to bump up the debug level.

> Apr  3 07:27:00 ldapmaster slapd[1012]: =>  access_allowed: read access
> to "uid=tester,ou=Users,dc=example,dc=com" "userPassword" requested

> The only other references I found to these attributes in the logs (which
> are at loglevel 128) are:
>
> Apr  3 07:27:00 ldapmaster slapd[1012]:<= root access granted
> Apr  3 07:27:00 ldapmaster slapd[1012]: =>  access_allowed: read access
> to "uid=tester,ou=Users,dc=example,dc=com" "sambaLMPassword" requested
> Apr  3 07:27:00 ldapmaster slapd[1012]:<= root access granted
> Apr  3 07:27:00 ldapmaster slapd[1012]: =>  access_allowed: read access
> to "uid=tester,ou=Users,dc=example,dc=com" "sambaNTPassword" requested

As already mentioned, ppolicy doesn't restrict the rootDN. If you want your 
policy constraints to work, you have to bind with some other DN to make the 
changes. That will of course mean that you have to give that DN write access 
to the selected attributes in your ACL.

> > Also, don't make us guess - post the relevant portion of your slapd
> > configuration.
> include         /etc/openldap/schema/ppolicy.schema
>
> # Dynamic modules
> moduleload      smbk5pwd.la
>
> rootdn          "cn=admin,dc=example,dc=com"
> rootpw          {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
>
> # Overlays - ppolicy for enforcing password restrictions and smbk5pwd
> for syncing LDAP and Samba passwords
> overlay smbk5pwd
> overlay ppolicy
> ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
> ppolicy_use_lockout
>
> # ACL's
> access to
> attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
>     by   self    write
>     by   *       auth
>
> access to *
>     by   *       read

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/