password API needed

[Luke Kenneth Casson Leighton]

(forwarded message)
Subject: Re: SAMBA: new password database api

One final observation. You are creating a policy database whether you recognize
it or not. LDAP is well suited for such a task with
inheritance and "references". There seems to be one set of information,
arbitrarily long, that is associated with each machine
 machine id
 machine password
 machine type
 etc.
Another for All Users
 login_directory  %login%
 allowed_login_times
 password fail attempts
 BOOL All_Users_overrides_groups
 etc
Another for a group
 group id
 group password
 applications allowed
 group_allowed_machines
 BOOL group_overrides_user
 etc
Finally another for each user
 user id
 user password
 user login directory
 user profile directory

These are all stuff which decides policy. Policy is most easily implemented
using inheritance. (Administrator doesn't have to do anything explicit to
maintain a constant policy.) What I think is needed is a hierarchical database
much like LDAP. Perhaps the University of Michigan LDAP server should just be
distributed with SAMBA?

However, LDAP does have the problem of non-standard ACL support and no
transactional support. Those two problems will be fixed. Also, LDAP does't do
Unicode. That means that if your name is Chinese or Arabic, it will be
difficult to search for it. That also will be fixed soon.

Just some comments.