Passowrd policy patch on Samba-3.0.2 for LDAP backend

Andrew Bartlett abartlet at
Fri Feb 20 05:33:09 GMT 2004

On Fri, 2004-02-20 at 14:22, Jim McDonough wrote:
> >I don't like the microsoft approach.  An attacker can create a *lot* of
> >inter-site traffic that way.
> >
> >I like the idea that all our communication between DC's is via our
> >shared backend, and I don't think this is the issue to force it.  I'm
> >not worried that the PDC can be 'behind' on bad password attempts - I
> >think that a per-DC counter is fine, with global lockout.
> Ok, so how do you propose we handle password changes?  Do we tell a user to
> change their password, but don't try to logon again until they think the
> backend has replicated?  Or do we also now cache the password?

Caching the password would be one way, but I don't like it.  What we
should do is have a way to find out when the password change (or any
other change to our passdb) has been propagated to all replicas.  In a
push replica modal, such as OpenLDAP's, we should in theory be able to
find this out.

Some operations should not care that the LDAP slaves may be old, but
other operations should wait until all slaves are alive.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list