[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

Buchan Milne wrote:
  Furthermore, if the above change is made so that ppolicy can evaluate
  the plaintext password, what exactly will the interaction between LDAP
  and the clients be if it fails to clear ppolicy constraints?

slapd will fail the operation, with a suitable error code and error text. Whether samba will send a useful error to the client (so that the client workstation displays an appropriate error message) is the next question.

According to Thierry's post
there's a problem there as well, but that's certainly a Samba or Windows issue, and nothing we can address in LDAP.

The third question is, what will happen to the samba password expiry
attributes, for both the case of changing via samba (should be fine)
and changing via ldap (won't be updated, samba passwords will still
appear to be expired). I also haven't had a chance to look at fixing
that (and again, the Heimdal equivalent also applies).

Current CVS smbk5pwd already takes care of these Samba attributes. What version are you looking at?

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/