[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

To: adamtaunowilliams@gmail.com
Subject: Re: smbk5pwd and ppolicy working together
From: Ryan Steele <rsteele@archer-group.com>
Date: Fri, 04 Apr 2008 15:08:30 -0400
Cc: Howard Chu <hyc@symas.com>, openldap-software <openldap-software@openldap.org>
In-reply-to: <1207250069.5023.10.camel@WM_ADAM1.morrison.iserv.net>
References: <47F27B2A.5060607@archer-group.com> <47F28040.90304@tranquil-it-systems.fr> <47F28816.3010504@archer-group.com> <47F29112.3040909@archer-group.com> <1207085230.24284.44.camel@localhost> <47F2AB5A.2020401@archer-group.com> <1207145959.7936.13.camel@WM_ADAM1.morrison.iserv.net> <47F3BA17.3090205@archer-group.com> <47F491D0.8090001@symas.com> <47F4FEEE.80708@archer-group.com> <47F5072E.1030109@symas.com> <47F51F1C.70902@archer-group.com> <1207250069.5023.10.camel@WM_ADAM1.morrison.iserv.net>
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Adam, Howard, and list,

Upon Howard's suggestion, I went and re-read the docs on ACL's for
slapd.conf.   What I came up with is the following (I'll change the
first asterisk to the specific attributes once I've actually got it
working...):

# ACL's
access to *
   by dn.exact="cn=pwdchanger,dc=example,dc=com" write
   by * break

access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
   by   self    write
   by   *       auth

access to *
   by   *       read

I also set the 'ldap admin dn' to be cn=pwdchanger,dc=example,dc=com in
my smb.conf, and added him to the smbpasswd database.

I'm happy to report that my initial testing shows that ppolicy indeed is
being adhered to now.  A big thank you to Howard, Adam, Pat, and others
who assisted me.  I have noticed, as Thierry Lacoste pointed out, that
Windows reports a successful password change when the password fails
ppolicy restrictions - but ONLY if I have logging set to 0.  I have no
idea why the two are related.  If I have logging turned on (even to 1),
Windows reports "The system cannot change your password now because the
domain DOMAINNAME is unavailable", but at least it's confirmation on the
user end that the change didn't take.  However, this is a Samba issue,
not an LDAP issue, so I'll take my findings to their mailing list.

Again, thanks to those who helped me.

Best Regards,
Ryan

References:
- smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Pat Riehecky <prieheck@iwu.edu>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Adam Tauno Williams <adamtaunowilliams@gmail.com>

Prev by Date: openldap and valgrind
Next by Date: Re: Problems with openLDAP 2.3
Index(es):
- Chronological
- Thread