[Samba] Locking user accounts

Jim Morris jim at morris-world.com
Thu Dec 5 15:20:02 GMT 2002 

On Thu, 2002-12-05 at 08:52, Martijn van Brummelen wrote:

> If I apply the patch that you say I will have too use pam. But the whole idea 
> of smb-ldap is not too use pam right?  I think your solution works with pam 
> but not with ldap I think. Cause all information is stored in ldap and pam 
> does not get involved. I will wait for more replies for a while, if that does 
> not work. I will try your solution.

This is indeed the case. This solution only works when you are using
PAM. If you are authenticating against an LDAP server, you will need to
somehow cause the account information stored on the LDAP server to
become disabled after a number of failed logon attempts.

Unfortunately, I do not know of any method to do that with an LDAP
server.  From Samba's perspective (for user authentication), the LDAP
server is just another way of storing the same information that we would
store in the smbpasswd file.  Think of it is a database that we use for
looking up the username and password. The database (or directory in this
case) is just a storage mechanism. It has no facilities for locking out
an account. We are looking up data in the directory - we are not logging
into the directory with the given username and password.  Without major
changes to Samba, I believe there is no way to achieve what you want
with just LDAP as the Samba authentication mechanism.

I would like to point out that there is a pam_ldap module available that
allows a Linux system to do user authentication against an LDAP
directory, rather than against a Unix password database.  By doing that,
you could have failed logons still use the pam_tally module to increment
a failed logon attempt counter, while using LDAP for the backend
password storage.  In this case, both the Unix and Samba passwords would
be stored in the LDAP directory I suppose.

Can someone that is using LDAP for Samba authentication comment on this,
especially if you are also using PAM?

Thanks!

-- 
/-----------------------------------------------
| Jim Morris  |  Email: Jim at Morris-World.com
|             |    AIM: JFM2001
\-----------------------------------------------

More information about the samba mailing list