[Date Prev][Date Next]
Re: smbk5pwd and ppolicy working together
Ryan Steele wrote:
Howard and others,
Let me ask two theoretical questions, before I submit my comments
below. Windows XP/2000/et. al. send their passwords via SMB hashed.
That is not true for a password change request, so the rest of this question
So, without configuring those workstations to send the passwords
plaintext over the wire, is there any way for ppolicy to act on the
ldapmodify initiated by Samba from Windows clients attempting to change
Furthermore, if the above change is made so that ppolicy can evaluate
the plaintext password, what exactly will the interaction between LDAP
and the clients be if it fails to clear ppolicy constraints?
When you get it working you'll know. Questions of the form "what will happen
if" will always get answered by "try it and see."
This is syslog output, not debug output. I said to bump up the debug
Maybe I'm misunderstanding. From the slapd.conf manpage:
Specify the level at which debugging statements and
operation statistics should be syslogged (currently logged to the
syslogd(8) LOG_LOCAL4 facility).
I thought "debugging statements" is what you wanted? When I start slapd
with the -d option, I seem to get the same output as when I specify
'loglevel N' in the slapd.conf.
As I've said countless times - syslog is not a debugging tool. It is lossy;
when the syslog daemon gets too busy it discards messages. If it could be used
for everything there would be no need for us to provide a "-d" option. But in
fact, we *do* provide a "-d" option, and debugging is its only purpose.
As already mentioned, ppolicy doesn't restrict the rootDN. If you want
your policy constraints to work, you have to bind with some other DN
to make the changes. That will of course mean that you have to give
that DN write access to the selected attributes in your ACL.
Ok - I'll create an LDAP user specifically for changing passwords, and
set that as my "ldap admin dn" in the smb.conf, so the change won't be
done by the rootdn, as recommended by Adam and yourself. I'll then
create an entry in the slapd.conf like the one below and give that a shot.
by self write
by * auth
by dn="cn=pwchanger,dc=example,dc=com" write
You need to re-read the ACL docs.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/