Notes on the new account policy code

Guenther Deschner gd at
Tue Jan 25 11:34:27 GMT 2005

Hi Andrew,

On Tue, Jan 25, 2005 at 03:50:48PM +1100, Andrew Bartlett wrote:
> Unfortunately, I seem to be hitting problems with the migration of
> account policies:
> start migrating account policies into passdb
>         migrating account policy (#1: min password length with value: 5)
> to passdb
> failed to set account_policy
> Could not migrate account policy tdb to passdb.
> Could not open account policy tdb.

I guess you are familiar with setting a higher debuglevel to reveal the
real problem :)

> From rom an ethereal trace, it appears that the problem stems from the fact
> that I have my sambaDomain object in a ou=domains subtree. 

Ok, I haven't thought of that. Sorry, my fault.

> In the attached patch I reuse the search we already make for the domain
> object to create the parent DN for the individual polices.

Thanks, that's a good idea.

> In any case, I decided to look at the code.  What I can't understand is
> why we seem to have a private cache in a tdb, for the account policy
> values.  If LDAP is down, or slow, then we are pretty well stuffed in
> every case, so other than added complexity, what does this gain us?

It simply saves LDAP-Lookups. Without the cache e.g. the PASSWORD HISTORY
policy is queried about 8 times during each samlogon. As these policies
really do not change very often, I thought it makes sense to read just the
tdb-cache. I'm working with highly loaded ldap-servers quite often, where
avoiding redundant ldap-queries has to be done wherever possible. Not?

> We should also make this migration fail well - if there are problems,
> then it would be nice not to loose all service until somebody fixes the
> LDAP configuration, or figures out what Samba is trying to do.

Will work on that.

> BTW, I agree with jerry that this should be LDAP attributes, like
> 'maxPwdAge' is in AD, but I needed the patch to work today :-).

Working on that too, as soon as I find time for it again. The inclusion of
the passdb-account policies is at least delayed anyway.

Thanks for your patch, I'm going to integrate it (hopefully later today),

Guenther Deschner                                               Samba Team
SerNet GmbH - Goettingen                                      gd at samba,org
gd at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list