[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

Ryan Steele wrote:
Howard and others,

Let me ask two theoretical questions, before I submit my comments
below.  Windows XP/2000/et. al. send their passwords via SMB hashed.

That is not true for a password change request, so the rest of this question is irrelevant.

So, without configuring those workstations to send the passwords
plaintext over the wire, is there any way for ppolicy to act on the
ldapmodify initiated by Samba from Windows clients attempting to change
their passwords?

Furthermore, if the above change is made so that ppolicy can evaluate
the plaintext password, what exactly will the interaction between LDAP
and the clients be if it fails to clear ppolicy constraints?

When you get it working you'll know. Questions of the form "what will happen if" will always get answered by "try it and see."

This is syslog output, not debug output. I said to bump up the debug

Maybe I'm misunderstanding. From the slapd.conf manpage:

loglevel<integer>  [...]
               Specify the level at which debugging statements and
operation statistics should be syslogged (currently logged to  the
syslogd(8)  LOG_LOCAL4  facility).

I thought "debugging statements" is what you wanted?  When I start slapd
with the -d option, I seem to get the same output as when I specify
'loglevel N' in the slapd.conf.

As I've said countless times - syslog is not a debugging tool. It is lossy; when the syslog daemon gets too busy it discards messages. If it could be used for everything there would be no need for us to provide a "-d" option. But in fact, we *do* provide a "-d" option, and debugging is its only purpose.

As already mentioned, ppolicy doesn't restrict the rootDN. If you want
your policy constraints to work, you have to bind with some other DN
to make the changes. That will of course mean that you have to give
that DN write access to the selected attributes in your ACL.

Ok - I'll create an LDAP user specifically for changing passwords, and set that as my "ldap admin dn" in the smb.conf, so the change won't be done by the rootdn, as recommended by Adam and yourself. I'll then create an entry in the slapd.conf like the one below and give that a shot.

# ACL's
access to

     by   self    write
     by   *       auth
     access to
           by dn="cn=pwchanger,dc=example,dc=com" write

You need to re-read the ACL docs.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/