Passowrd policy patch on Samba-3.0.2 for LDAP backend
Andrew Bartlett
abartlet at samba.org
Fri Feb 20 05:33:09 GMT 2004
On Fri, 2004-02-20 at 14:22, Jim McDonough wrote:
>
>
> >I don't like the microsoft approach. An attacker can create a *lot* of
> >inter-site traffic that way.
> >
> >I like the idea that all our communication between DC's is via our
> >shared backend, and I don't think this is the issue to force it. I'm
> >not worried that the PDC can be 'behind' on bad password attempts - I
> >think that a per-DC counter is fine, with global lockout.
> Ok, so how do you propose we handle password changes? Do we tell a user to
> change their password, but don't try to logon again until they think the
> backend has replicated? Or do we also now cache the password?
Caching the password would be one way, but I don't like it. What we
should do is have a way to find out when the password change (or any
other change to our passdb) has been propagated to all replicas. In a
push replica modal, such as OpenLDAP's, we should in theory be able to
find this out.
Some operations should not care that the LDAP slaves may be old, but
other operations should wait until all slaves are alive.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/eda69244/attachment.bin
More information about the samba-technical
mailing list