[Samba] Enforcing password history policy on password resets
Andrew Bartlett
abartlet at samba.org
Thu Jul 21 02:47:51 UTC 2016
On Wed, 2016-07-13 at 10:14 +1200, Mateusz Uzdowski wrote:
> Hi there,
>
> We are using Samba as a user directory for our application. Passwords
> are
> stored in unicodePwd attribute, and our application resets passwords
> through LDAP (without the knowledge of the previous password, because
> it's
> an email-based reset).
>
> Unfortunately resetting it like this prevents the "password history"
> policy
> enforcement. This is a security problem that will come up on the
> first
> security audit.
>
> Microsoft recognised this is a problem and in Windows 2008 R2 SP1
> introduced a supportedControl on RootDSE:
> LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066),
> later
> LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables
> such
> password history enforcement on LDAP password resets.
>
> I've been trawling the internet and Samba source code looking for a
> way to
> achieve the same thing, to no avail.
>
> Does anyone have any suggestions on how to get password history to be
> enforced on password resets?
Try this patch :-)
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-HACK-DSDB_LDAP_SERVER_POLICY_HINTS_OID.patch
Type: text/x-patch
Size: 10923 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20160721/e1b53088/0001-HACK-DSDB_LDAP_SERVER_POLICY_HINTS_OID.bin>
More information about the samba
mailing list