[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)
Thierry Lacoste
lacoste at miage.univ-paris12.fr
Mon Aug 13 11:14:25 GMT 2007
On Monday 13 August 2007 03:11, Andrew Bartlett wrote:
> On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote:
> > On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
> > > Dear Help,
> > >
> > > I'm currently running Samba with an LDAP passdb backend. I'm trying to
> > > figure out how to NOT allow a particular user to change their password
> > > (through Windows, or any interface). I've tried modifying the values
> > > for sambaPwdCanChange and sambaPwdMustChange for a particular user, but
> > > it seems like it only effects making them change their password,
> > > instead of whether or not they're ALLOWED to.
> >
> > With OpenLDAP one can use
> > ldap passwd sync = only
> > in smb.conf and let the smbk5pwd overlay synchronize the LM and NT
> > passwords.
> >
> > If you add the ppolicy overlay you have a clean way to prevent password
> > changes for some acounts (through Windows, or any interface).
> > For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE
> >
> > The only problem is that a Windows client reports a successful password
> > change even though the password was not changed because of the above
> > pwdPolicy.
>
> Was it not changed? To OpenLDAP, the change from Samba doesn't look
> like a user change (because we set it using Samba's credentials).
According to man 5 slapo-ppolicy:
Note that some of the policies do not take effect when the operation is
performed with the rootdn identity; all the operations, when performed
with any other identity, may be subjected to constraints, like access
control.
The pwdPolicy applies to my smb.conf ldap admin dn because it is not my
slapd.conf rootdn.
- I first remove the pwdPolicy from a user's account using my rootdn:
$ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
delete: pwdPolicySubentry
modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"
- I confirm that my slapd.conf ACLs allow my ldap admin dn to
change a user's password:
$ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
userPassword: secret1
modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"
- I apply a pwdPolicy:
$ ldapsearch -LLL -b 'ou=Policies,o=stars' 'cn=frozen'
dn: cn=frozen,ou=Policies,o=stars
objectClass: pwdPolicy
objectClass: device
objectClass: top
cn: frozen
pwdAttribute: userPassword
pwdAllowUserChange: FALSE
$ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=frozen,ou=Policies,o=stars
modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"
- Now my ldap admin dn cannot change the user's password:
$ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
userPassword: secret2
modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"
ldap_modify: Insufficient access (50)
additional info: User alteration of password is not allowed
Regards,
Thierry.
More information about the samba
mailing list