implementing password lockout

[Jianliang Lu]

> suppose the link goes down back to the central office.  If you can't update
> the master, you're screwed in terms of password attempts.
> 
> Unless you have multi-master replication, I'm not convinced it's safer to
> use the value in LDAP as _the_ value.  Even if the PDC stores the value in
> the LDAP server every time, each BDC _must_ maintain its own count just in
> case.  If the timestamp in LDAP > local timestamp (and you have to
> guarantee time consistency here), use the LDAP one and update the local
> with that, otherwise just use the local one.
> 
> ----------------------------
> Jim McDonough

Unless we have not implemented the replication on Samba, the better way to 
use the Samba-LDAP is the LDAP multi-master replication. We are Samba and not 
NT, so we can do better than NT. 
With the LDAP multi-master we have not only SAM accounts synchronized between 
the PDC and BDCs (last logon time, bad password count etc.), we have also 
solved the problem of recovery. In a NT environment when the PDC is down you 
cannot, for example, change a user's password, with the LDAP multi-master and 
dual samba (HA clustering), that a BDC take over also the PDC, you can do it. 
After the PDC come back, all SAM database will be updated on PDC. 
We have big sites that using Samba LDAP multi-master in NT-workstation-to-
Linux-Samba environment and work very well with my password policy's patch, 
also in a recovery state. Naturally the Samba with the patch is 3.0 Alpha22. 
We hope that in the final release of Samba 3.0 the password policy will be 
included and we propose to use  multi-master replication for LDAP backend.

Jianliang Lu


TieSse s.p.a.     Ivrea (To) - Italy
j.lu at tiesse.com   luj at libero.it
http://www.tiesse.com