[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

Adam, Howard, and list,

Upon Howard's suggestion, I went and re-read the docs on ACL's for
slapd.conf.   What I came up with is the following (I'll change the
first asterisk to the specific attributes once I've actually got it

# ACL's
access to *
   by dn.exact="cn=pwdchanger,dc=example,dc=com" write
   by * break

access to
   by   self    write
   by   *       auth

access to *
   by   *       read

I also set the 'ldap admin dn' to be cn=pwdchanger,dc=example,dc=com in
my smb.conf, and added him to the smbpasswd database.

I'm happy to report that my initial testing shows that ppolicy indeed is
being adhered to now.  A big thank you to Howard, Adam, Pat, and others
who assisted me.  I have noticed, as Thierry Lacoste pointed out, that
Windows reports a successful password change when the password fails
ppolicy restrictions - but ONLY if I have logging set to 0.  I have no
idea why the two are related.  If I have logging turned on (even to 1),
Windows reports "The system cannot change your password now because the
domain DOMAINNAME is unavailable", but at least it's confirmation on the
user end that the change didn't take.  However, this is a Samba issue,
not an LDAP issue, so I'll take my findings to their mailing list.

Again, thanks to those who helped me.

Best Regards,