password API needed

Luke Kenneth Casson Leighton lkcl at
Wed May 13 12:24:17 GMT 1998

(forwarded message)
Subject: Re: SAMBA: new password database api

One final observation. You are creating a policy database whether you recognize
it or not. LDAP is well suited for such a task with
inheritance and "references". There seems to be one set of information,
arbitrarily long, that is associated with each machine
 machine id
 machine password
 machine type
Another for All Users
 login_directory  %login%
 password fail attempts
 BOOL All_Users_overrides_groups
Another for a group
 group id
 group password
 applications allowed
 BOOL group_overrides_user
Finally another for each user
 user id
 user password
 user login directory
 user profile directory

These are all stuff which decides policy. Policy is most easily implemented
using inheritance. (Administrator doesn't have to do anything explicit to
maintain a constant policy.) What I think is needed is a hierarchical database
much like LDAP. Perhaps the University of Michigan LDAP server should just be
distributed with SAMBA?

However, LDAP does have the problem of non-standard ACL support and no
transactional support. Those two problems will be fixed. Also, LDAP does't do
Unicode. That means that if your name is Chinese or Arabic, it will be
difficult to search for it. That also will be fixed soon.

Just some comments.

More information about the samba-technical mailing list