[ldapext] Samba and the password policy draft

Jim Sermersheim jimse at novell.com
Fri Mar 12 08:06:31 GMT 2004


>>> Andrew Bartlett <abartlet at samba.org> 3/6/04 6:38:06 PM >>>

>What I am looking for is some additional control or operation that may
>be used by Samba/Heimdal/etc to say 'a user just logged in, with the
>right password', and 'a user just tried to log in with a wrong
>password'. 

I'm toying with the notion of changing the draft such that it describes password policy decision points, and then refers to those decision points when talking about how to implement operations like bind and compare. Once this is done, it should be easy to create new operations (like those you mentioned) and specify which password policy decision points are invoked during those new operations.
 
The first thing I noticed when looking at doing this is that the current wording for bind (and compare) require server implementations to check for a locked account prior to performing the password comparison. I think we did this either as an optimization, or because we deemed it important to always check for the locked account condition. I think it'll be ok to just make a statement that this condition must be checked whether the password comparison succeeds or fails.
 
The only reason I bring this up is because the suggested operations above don't/can't follow the current pattern (unless there's also a 'this user is going to log in' precheck operation * yuk).
 
Jim



More information about the samba-technical mailing list