Samba and the password policy draft

Howard Chu hyc at
Tue Apr 6 12:53:32 GMT 2004

>Andreas andreas at
>Wed Mar 17 17:06:10 GMT 2004

>On Mon, Mar 15, 2004 at 01:10:05PM +1300, Simon Annear wrote:
>> password lockout system.  I would expect that OpenLDAP should provide
>> the same functionality (I know it doesn't at this point in time).  I

>Howard Chu seems to have started development on this:

The password policy implementation in OpenLDAP CVS HEAD is complete, but more
testing wouldn't hurt. And I'm sure when Draft 8 of the policy document is
published we'll need to do some patching. If you've been following this
discussion thread, then you probably have enough context to meaningfully put
it through its paces.

Also you may be interested in contrib/slapd-modules/smbk5pwd which will
update Heimdal keys and Samba hashes when executing a pwdModify LDAP
operation. Again, it has only been lightly tested and more feedback would be

None of this helps Samba, Heimdal, or Cyrus-SASL to take advantage of LDAP
password policies though, as the OpenLDAP ppolicy module only handles LDAP
Simple Binds. Hacking the Cyrus SASL support to honor ppolicy would be
difficult, but maybe doable. At that point, it would be worthwhile to
consider having Samba use a passthru to SASL NTLM auth mechanism. I don't
understand why the SASL mech is a non-starter; if the mech generates a
challenge that Samba can forward to its client, and the mech processes the
response sent from the client, what's the problem?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun     
  Symas: Premier OpenSource Development and Support

More information about the samba-technical mailing list