Passowrd policy patch on Samba-3.0.2 for LDAP backend

Jim McDonough jmcd at us.ibm.com
Thu Feb 19 21:13:07 GMT 2004






First of all, thanks for all the work!

I'm incorporating large pieces of this into password lockout support, but
with a few modifications.  First, I'm doing it a bit at a time, so I'm
starting with just lockout.

Next, I'm declaring that I don't like magic uint32 values of 0xFFFFFFFF to
mean turn off duration, lockout count, and reset count time, because even 0
would be a silly value to be a valid policy...in other words, having a
lockout count of 0 would lock everyone out, a reset count of 0 would reset
everyone's badpw counter every time, and duration of 0 would reset
everyones lockout flag immediately.  So 0 means these policies are turned
off.

I've reorganized the fn()s that increment, and check for resets in passdb
so that they are a bit easier to read, I believe, and will ultimately
result in fewer calls.  But the overall function is the same.

Also, I'm not yet committing anything on the ldap backend, because as
stated before, your design with multiple ldap servers for the DCs will best
function with multi-master replication, which we cannot count on.  I'm
still evaluating how to approach this, but one possibility is similar to
windows in that reset counts will be cached locally and will only get
committed for specific reasons (like lockout count reached).

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984


More information about the samba-technical mailing list