implementing password lockout
Jianliang Lu
j.lu at tiesse.com
Wed Jan 28 11:37:07 GMT 2004
> suppose the link goes down back to the central office. If you can't update
> the master, you're screwed in terms of password attempts.
>
> Unless you have multi-master replication, I'm not convinced it's safer to
> use the value in LDAP as _the_ value. Even if the PDC stores the value in
> the LDAP server every time, each BDC _must_ maintain its own count just in
> case. If the timestamp in LDAP > local timestamp (and you have to
> guarantee time consistency here), use the LDAP one and update the local
> with that, otherwise just use the local one.
>
> ----------------------------
> Jim McDonough
Unless we have not implemented the replication on Samba, the better way to
use the Samba-LDAP is the LDAP multi-master replication. We are Samba and not
NT, so we can do better than NT.
With the LDAP multi-master we have not only SAM accounts synchronized between
the PDC and BDCs (last logon time, bad password count etc.), we have also
solved the problem of recovery. In a NT environment when the PDC is down you
cannot, for example, change a user's password, with the LDAP multi-master and
dual samba (HA clustering), that a BDC take over also the PDC, you can do it.
After the PDC come back, all SAM database will be updated on PDC.
We have big sites that using Samba LDAP multi-master in NT-workstation-to-
Linux-Samba environment and work very well with my password policy's patch,
also in a recovery state. Naturally the Samba with the patch is 3.0 Alpha22.
We hope that in the final release of Samba 3.0 the password policy will be
included and we propose to use multi-master replication for LDAP backend.
Jianliang Lu
TieSse s.p.a. Ivrea (To) - Italy
j.lu at tiesse.com luj at libero.it
http://www.tiesse.com
More information about the samba-technical
mailing list