[Date Prev][Date Next]
Re: ppolicy overlay trick
Dmitriy Kirhlarov wrote:
The are several ways to implement password policy now -- shadowAccount
for pam, sambaAccountPolicy for samba and password policy overlay for
All this are not perfect.
shadowAccount and sambaAccountPolicy can't block login to www, for
example, and they work on client side.
ppolicy overlay work fine, but, if password blocked, client, usualy,
My idea -- mapping ppolicy overlay rules to samba and shadow fields in
users dn on server side. Is it possible? If yes -- how?
You could probably write an overlay to intercept ppolicy updates and
translate them into other attributes, but that would mostly be a waste
of effort. PADL's pam_ldap already supports the ppolicy control, so if
you use it you'll get all of the policy messages. (Except, see ITS#4528,
which will be fixed in the 2.3.22 release.) So there's no reason to mess
with the shadow attributes at all.
I recall that Andrew Bartlett was looking into making Samba cooperate
with LDAP ppolicy too; I would chase that route instead of trying to map
back and forth.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/