[Samba] Samba 3.0.24 handling LDAP responses incorrectly

Ryan Steele rsteele at archer-group.com
Wed Apr 9 13:59:03 GMT 2008

Volker Lendecke wrote:
> On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote:
>> I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
>> why it's showing the user this message instead.  I see I can edit the
>> values that Samba is showing the user with pdbedit, but I shouldn't need
>> to edit that - my password policy is defined in LDAP, and those are the
>> message I'd like the users to see.
> How are these policies exactly defined in LDAP? Are they
> visible for LDAP clients?

It's an explicit entry in LDAP:

56 cn=Password Policy,ou=Policies,dc=example,dc=com
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdMinAge: 3468000
pwdMinLength: 6
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdLockout: TRUE
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdInHistory: 6
pwdMaxFailure: 2
pwdLockoutDuration: 60
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdCheckModule: check_password.so
pwdSafeModify: FALSE

The check_password.so module is what's doing the strength checks,
similar to how the 'check password script' works in Samba.  All other
password policy attributes listed above are visible (read access) from a
directory listing (for every user).

> If they are visible, then we might have a chance to return
> them to the client, although this would require coding. If
> they are defined in some LDAP server config file that is not
> visible to Samba, then we can't export those to the client.

It sounds like everything is pretty cut and dry with the exception of
the checks enforced by check_password.so.  But, I think if Samba just
returned the errors sent back by LDAP/check_password.so (e.g., "password
too short", "password does not meet required strength checks", etc.),
that would suffice.  I can see that Samba receives these error messages,
but seems to do nothing with them (log information included in previous
posts in this thread).  If that can be rectified, that should get us
pretty close, no?

Thanks as always,

More information about the samba mailing list