[Samba] Samba 3.0.24 handling LDAP responses incorrectly

Adam Tauno Williams adamtaunowilliams at gmail.com
Wed Apr 9 15:40:33 GMT 2008

> >> I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
> >> why it's showing the user this message instead.  I see I can edit the
> >> values that Samba is showing the user with pdbedit, but I shouldn't need
> >> to edit that - my password policy is defined in LDAP, and those are the
> >> message I'd like the users to see.
> > How are these policies exactly defined in LDAP? Are they
> > visible for LDAP clients?
> It's an explicit entry in LDAP:

ppolicy support in Samba would be awesome.  Would make PCI/DSS (and
other regulatory compliance) *much* easier for shops using a Samba PDC.


> 56 cn=Password Policy,ou=Policies,dc=example,dc=com
> cn: Password Policy
> pwdAttribute: userPassword
> pwdMaxAge: 3888000
> The check_password.so module is what's doing the strength checks,
> similar to how the 'check password script' works in Samba.  All other
> password policy attributes listed above are visible (read access) from a
> directory listing (for every user).
> > If they are visible, then we might have a chance to return
> > them to the client, although this would require coding. If
> > they are defined in some LDAP server config file that is not
> > visible to Samba, then we can't export those to the client.
> It sounds like everything is pretty cut and dry with the exception of
> the checks enforced by check_password.so.  But, I think if Samba just
> returned the errors sent back by LDAP/check_password.so (e.g., "password
> too short", "password does not meet required strength checks", etc.),
> that would suffice. 

Yep,  that is what happens.

>  I can see that Samba receives these error messages,
> but seems to do nothing with them (log information included in previous
> posts in this thread).  If that can be rectified, that should get us
> pretty close, no?

Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

More information about the samba mailing list