[Samba] Enforcing password history policy on password resets
Mateusz Uzdowski
mateusz at silverstripe.com
Tue Jul 12 22:14:14 UTC 2016
Hi there,
We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).
Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
security audit.
Microsoft recognised this is a problem and in Windows 2008 R2 SP1
introduced a supportedControl on RootDSE:
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
password history enforcement on LDAP password resets.
I've been trawling the internet and Samba source code looking for a way to
achieve the same thing, to no avail.
Does anyone have any suggestions on how to get password history to be
enforced on password resets?
Many thanks,
Mateusz
--
Mateusz Uzdowski | Principal Developer
SilverStripe
http://silverstripe.com/
Phone: +64 4 978 7330 xtn 68
Skype: MateuszUzdowski
More information about the samba
mailing list