Why Samba didn't use pam to hook into cracklib

Howard Chu hyc at highlandsun.com
Sun Apr 10 04:53:44 GMT 2005

Andrew Bartlett wrote:
> Finally, I should note my views on where this password quality check
> should be peformed.  In an ideal world, I would perform this password
> quality check in the LDAP server too which Samba and Heimdal both read
> their password databases from.  The password server should obtain a
> plaintext password (via for example the OpenLDAP password setup ExOP),
> and it should return a status regarding the quality of the password, if
> it were too poor.  Preferably this would include a text error string,
> for communication to the client if supported by the relevant protocols.
> (And then a good password would be set in all encryption types and Samba
> hashes, into the LDAP DB).

Funny that you should say that, this is exactly what HP is doing. The 
password policy overlay in OpenLDAP has a hook for dynamically loading a 
password quality checker and the HP folks use this hook to run cracklib 
on the incoming passwords.

> However, in a world where we don't yet do this, (Samba doesn't pass back
> specific errors from ldap very well, heimdal doesn't use the password
> set API, and we should cover the hdb-db), I would suggest cracklib be
> integrated into the password check API of heimdal as a child process, so
> that the two ways that a password may be set in my current directory
> setup are covered with some kind of check.  On my unix workstations,
> I'll probably also enforce local pam_cracklib, as this can get previous
> passwords, as well as return decent error strings.

I guess it's worth considering for those sites that use a non-LDAP hdb 
backing store. For sites that use the Heimdal KDC backed by LDAP there's 
really no reason to do password changes through anything besides LDAP.

   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support

More information about the samba-technical mailing list