[ldapext] Samba and the password policy draft

Jim Sermersheim jimse at novell.com
Tue Mar 9 00:07:06 GMT 2004

(speaking on behalf of the other LDAP password policy I-D authors) This
kind of integration is something we do want to consider.
Before we look at adding additional operations though, can we talk
about the reasons that prevent these applications from using existing
LDAP operations? Our guess is that it has to do with the fact that Samba
fetches either an NT or LM hashed password from the directory, and uses
that to perform the comparison. The NT/LM hash doesn't work with LDAP
simple bind because LDAP simple bind requires a clear text password.
I'm wondering if there's something preventing the use of an NT/LM SASL
mechanism to perform an LDAP SASL bind. Novell is beginning to look at
doing just that and will contribute to the code if it's seen as
beneficial. If this were available, the password policy could still be
enforced by the LDAP server
Then for password modifications, there is RFC 3602. Do you think this
is sufficient to update these kinds of passwords? 
Note that the new password is optional.
Also note that we *could* update the policy draft such that the
pwdSafeModify requires either the old password, or a trusted identity to
make the change. 
I know that for both of these to work, the server will need to support
the SASL mechanism, and allow itself to be configured to populate the
correct attributes when the password modify operation is used.
Let me know your thoughts on pushing in this direction.

>>> Andrew Bartlett <abartlet at samba.org> 3/6/04 6:38:06 PM >>>
I have recently been made aware of the existence of 


and I would like to work with the ldapext group to make Samba suitable
for us with it, and the draft suitable for use with Samba (as well as
number of other tools in this class, being Cyrus-SASL and Heimdal's
hdb-ldap in particular).

These tools all have one thing in common, that is that they do not
generally ship cleartext passwords to LDAP when checking passwords. 
Instead, they use administrative rights to read the user's password
perform challenge-response on them. 

Similarly, these tools often do not have the original plaintext
for password changes, only the new plaintext. Again, this means that
these operations are performed as some administrative user.

However, I can see great value in ensuring that Samba complies with
password policies in force on the rest of the directory, and more
particularly, to allow Samba password policies (in some way derived
what MS does, as we match our NT4 semantics) to be set in the
using both NT and native LDAP tools.

What I am looking for is some additional control or operation that may
be used by Samba/Heimdal/etc to say 'a user just logged in, with the
right password', and 'a user just tried to log in with a wrong

Likewise, some additional control to say 'this password change on
of a user', would fix my second concern. 

I realise that these could be considered to be 'not LDAP's problem'
it regards password comparisons outside the directory), but in the
interests of seamless directory integration, I hope that some
accommodation can be made, particularly in the interests of
cross-protocol, cross-application consistency.

(Indeed Samba and some other tools may read the user's plaintext
password out of the userPassword attribute. It would be a pity to
defeat the max bad password checks while attempting to make an
administrator's live *easier*...)

Finally, I apologise if I have messed up some of the finer details of
LDAP here. While I have spent a lot of time (along with many others)
working of pdb_ldap in Samba, I am far from an LDAP guru...

Is this something the working group is willing to consider?

Andrew Bartlett
Andrew Bartlett abartlet at pcug.org.au 
Manager, Authentication Subsystems, Samba Team abartlet at samba.org 
Student Network Administrator, Hawker College abartlet at hawkerc.net 
http://samba.org http://build.samba.org http://hawkerc.net 

More information about the samba-technical mailing list