password API needed
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed May 13 12:24:17 GMT 1998
(forwarded message)
Subject: Re: SAMBA: new password database api
One final observation. You are creating a policy database whether you recognize
it or not. LDAP is well suited for such a task with
inheritance and "references". There seems to be one set of information,
arbitrarily long, that is associated with each machine
machine id
machine password
machine type
etc.
Another for All Users
login_directory %login%
allowed_login_times
password fail attempts
BOOL All_Users_overrides_groups
etc
Another for a group
group id
group password
applications allowed
group_allowed_machines
BOOL group_overrides_user
etc
Finally another for each user
user id
user password
user login directory
user profile directory
These are all stuff which decides policy. Policy is most easily implemented
using inheritance. (Administrator doesn't have to do anything explicit to
maintain a constant policy.) What I think is needed is a hierarchical database
much like LDAP. Perhaps the University of Michigan LDAP server should just be
distributed with SAMBA?
However, LDAP does have the problem of non-standard ACL support and no
transactional support. Those two problems will be fixed. Also, LDAP does't do
Unicode. That means that if your name is Chinese or Arabic, it will be
difficult to search for it. That also will be fixed soon.
Just some comments.
More information about the samba-technical
mailing list