Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
This is a discussion on Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly within the Samba forums, part of the Networking and Network Related category; Volker Lendecke wrote: > On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote: > > >&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-09-2008
|
|||
|
|||
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote:
> On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote: > > >> I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure >> why it's showing the user this message instead. I see I can edit the >> values that Samba is showing the user with pdbedit, but I shouldn't need >> to edit that - my password policy is defined in LDAP, and those are the >> message I'd like the users to see. >> > > How are these policies exactly defined in LDAP? Are they > visible for LDAP clients? > It's an explicit entry in LDAP: 56 cn=Password Policy,ou=Policies,dc=example,dc=com cn: Password Policy pwdAttribute: userPassword pwdMaxAge: 3888000 pwdMinAge: 3468000 pwdMinLength: 6 pwdExpireWarning: 432000 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdLockout: TRUE pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdInHistory: 6 pwdMaxFailure: 2 pwdLockoutDuration: 60 objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top pwdCheckModule: check_password.so pwdSafeModify: FALSE The check_password.so module is what's doing the strength checks, similar to how the 'check password script' works in Samba. All other password policy attributes listed above are visible (read access) from a directory listing (for every user). > If they are visible, then we might have a chance to return > them to the client, although this would require coding. If > they are defined in some LDAP server config file that is not > visible to Samba, then we can't export those to the client. > It sounds like everything is pretty cut and dry with the exception of the checks enforced by check_password.so. But, I think if Samba just returned the errors sent back by LDAP/check_password.so (e.g., "password too short", "password does not meet required strength checks", etc.), that would suffice. I can see that Samba receives these error messages, but seems to do nothing with them (log information included in previous posts in this thread). If that can be rectified, that should get us pretty close, no? Thanks as always, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
Linear Mode
