[Samba] Password Expiration when using LDAP

Andrew Bartlett abartlet at samba.org
Sat Aug 3 15:13:02 GMT 2002

"Hesham S. Ahmed" wrote:
> Hi,
> We are planning to move all of our win2k server
> (currenty around 50!) alongwith AD to Linux, we are
> planning to use LDAP based samba domain controllers
> for authentication and file/print serving. We are
> doing a pilot and things are fine till now, just one
> simple problem, what should we do with our password
> policy, we have three restrictions relating passwords
> minimum password length
> password expiration
> password history (so users cant reuse old password for
> some time)
> AFAIK samba 2.2.5 PDC doesn't support any of these. I
> was thinking if there is any way to implement these
> restrictions at LDAP level, I mean adding a few
> attributes stroring password change dates and checking
> for expiration interval by using maybe a cron job that
> checks the no. of days elapsed.... or should I rather
> wait?
> Does HEAD supports these features, my company wouldn't
> mind using HEAD in production!!! as most of our
> business is dependent on Lotus Domino which is in no
> way dependent on NT PDC functionality.

HEAD supports password ageing but not password history.  I think the
'min password length' has always been supported, but can be quickly
added if required.  I would like to add cracklib, and sombody was doing
a patch to clean that stuff up - but I'm not sure what happened to it...

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list