(This email has been sitting in my drafts folder for a week ... if it seems incomplete, it was because I didn't want to wait till next week Tuesday when I am finally back in the office).
I'm trying to complete a system which allows authentication by a number of means, for example:
-Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against sambaNTPassword attribute in OpenLDAP -Samba domain -Kerberos with keys stored in OpenLDAP -Some hardware devices which read userPassword and compare the hash
At the same time, I would like password policies applied, including: -Password expiry by default (but exempt some accounts from password expiry) -Password history checking -Password strength rules (at minimum length, preferably enforce variation of character types)
It seems that Heimdal currently doesn't have password history support, and the password expiry available is quite limited (e.g. global via [kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange attribute
MIT has password history support, and support for multiple password expiry policies, but password history is not available with the LDAP backend (and I don't see mention of whether the password policies can be stored in LDAP either).
Password changes via Heimdal will: -Change the password in the krb5key attributes -Change the password in sambaNTPassword -update krb5PasswordEnd -update sambaPwdMustChange (but not sambaPwdLastSet) -not change the password in userPassword -not update pwdChangedTime -not update passwords in pwdHistory
Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will: -Change the password in the krb5Key attributes -Change the password in the userPassword attribute -Change the password in the sambaNTPassword and sambaLMPassword attributes -update pwdChangedTime -update sambaPwdLastSet (but not sambaPwdMustChange) -update passwords in pwdHistory -Not update krb5PasswordEnd
I would prefer not to rely on password changing via samba, since most users don't really know anything about samba (so, I'll probably have samba setup for 'ldap passwd sync = only'
So, are there any solutions to this problem ? Or, will one of ppolicy or smbk5pwd need to be updated to take the other into account.