suggestion: LDAP and pwdMustChange value in pdb_ldap.c

Rauno Tuul rauno.tuul at haigekassa.ee
Fri Mar 21 00:40:12 GMT 2003


Hi,

Little suggestion to SAMBA developers...
as long samba doesn't support "password expire time"

I have in my office a rule, that every domain password must be changed every
90 days. I store user info in LDAP.

So I added to smb.conf this line: 
passwd program = /usr/local/sbin/smbldap-pass.pl %u

The perl script is a tune-up from smbldap-tools script pack by IDEALX. It
changes the UNIX password and sets the time when password expires in LDAP.
Content of the script is at the end of e-mail.

But the problem is in pdb_ldap.c
When user calls out that binary to change password, then first will be all
data about the user read from LDAP and stored in memory.
Then will my Perl script (passwd program) called out, which successfully
changes unix password and sets the new expire date in LDAP. But at the end
samba writes back all the data, he got from LDAP, including the
"pwdmustchange" value. So even if the script changes the value, samba puts
back the previous value.

There are 2 ways to solve this:
1) change the pdb_ldap.c, so it calculates the new "pwdmustchange" value and
writes it to LDAP.
   (if you need to change the time, then you must recompile samba)
2) comment out few lines in pdb_ldap.c and use the perl script.
   (for little modification tune only the perl script)

pdb_ldap.c  773,775c773,774
< // commented out by raunz
< //    slprintf (temp, sizeof (temp) - 1, "%li",
pdb_get_pass_must_change_time(sampass));
< //    make_a_mod(mods, ldap_state, "pwdMustChange", temp);
---
>       slprintf (temp, sizeof (temp) - 1, "%li",
pdb_get_pass_must_change_time(sampass));
>       make_a_mod(mods, ldap_state, "pwdMustChange", temp);

I don't understand, why samba even reads/writes the other LDAP values, when
samba only changes password hashes and passwordsettime...
This way I got samba to act as I wanted :)

I hope that made sense...

Best solution would be to implement the "password expire time" variable.

RaunZ

======================================
#!/usr/bin/perl

use strict;
use smbldap_tools;
use smbldap_conf;

my $user;
my $ret;
my $arg;

foreach $arg (@ARGV) {
        if (substr($arg,0) ne '-')  {
                $user = $arg;
        }
}

# test existence of user in LDAP
my $dn_line = get_user_dn($user);
my $dn = get_dn_from_line($dn_line);

# prompt for new password
my $pass;
my $pass2;

system "stty -echo";
print "New password : ";
chomp($pass=<STDIN>);
print "\n";
system "stty echo";

system "stty -echo";
print "Retype new password : ";
chomp($pass2=<STDIN>);
print "\n";
system "stty echo";

# change unix password
$ret = system "$ldappasswd $dn -s '$pass' > /dev/null";
if ($ret == 0) {
        print "password changed successfully\n";
} else {
        return $ret;
}

# generate time, when password expires
my $passexpires = time() + 90*24*60*60;

my $tmpldif =
"$dn_line
changetype: modify
replace: pwdmustchange
pwdmustchange: $passexpires
-
";

do_ldapmodify($tmpldif);
undef $tmpldif;

exit 0;

# - The End


More information about the samba-technical mailing list