Password policies in the LDAP server
in [Samba]
|
Prev: [Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC)
Next: [Samba] Can Map shares but cannot write
From: Juan Asensio Sánchez on 30 Jun 2010 07:20 Well, if this can help anybody, i found a workaround that is not perfect, but works fine. http://lists.fedoraproject.org/pipermail/389-users/2010-June/011685.html Regards. El 28 de junio de 2010 12:40, Juan Asensio Sánchez <okelet(a)gmail.com>escribió: > Hi > > We have some Samba servers using LDAP (389 DS) as backend. In the LDAP > server, we have defined some policies to make the passwords stronger. When a > user tries to change his password (Control-Alt-Del), this message appears in > the LOGs: > > ==> /var/log/samba/xptest <== > [2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [10000001S] -> [10000001S] > -> [10000001S] succeeded > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) > init_sam_from_ldap: Entry found for user: 10000001S > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972) > init_ldap_from_sam: Setting entry for user: 10000001S > [2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651) > ldapsam_modify_entry: LDAP Password could not be changed for user > 10000001S: Constraint violation > Failed to update password > > > ==> /var/log/dirsrv/slapd-pruebas/audit <== > time: 20100628122637 > dn: uid=10000001s,XXXXXXXXXXXXX > changetype: modify > delete: sambaLMPassword > sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409 > - > add: sambaLMPassword > sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC > - > delete: sambaNTPassword > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52 > - > add: sambaNTPassword > sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D > - > delete: sambaPwdLastSet > sambaPwdLastSet: 1277720109 > - > add: sambaPwdLastSet > sambaPwdLastSet: 1277720798 > - > replace: modifiersname > modifiersname: uid=adminsamba,XXXXXXXXXXX > - > replace: modifytimestamp > modifytimestamp: 20100628102637Z > - > > So, the Samba passwords are changed, but the unix password is not changed > because the LDAP rejects it because it is not as string as required. Is > there any way to avoid this? Shouldn't the unix password be changed before > the samba passwords to check if the LDAP server accepts it? > > Regards. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Willy Offermans on 1 Jul 2010 08:30 Hello Samba Friend, I'm sorry that I cannot help you in finding an answer to your question, but I'm rather interested in how you can add password policies to the LDAP sever. Is this openldap? and how did you implement the policies? On Mon, Jun 28, 2010 at 12:40:09PM +0200, Juan Asensio Sánchez wrote: > Hi > > We have some Samba servers using LDAP (389 DS) as backend. In the LDAP > server, we have defined some policies to make the passwords stronger. When a > user tries to change his password (Control-Alt-Del), this message appears in > the LOGs: > > ==> /var/log/samba/xptest <== > [2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [10000001S] -> [10000001S] > -> [10000001S] succeeded > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) > init_sam_from_ldap: Entry found for user: 10000001S > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972) > init_ldap_from_sam: Setting entry for user: 10000001S > [2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651) > ldapsam_modify_entry: LDAP Password could not be changed for user > 10000001S: Constraint violation > Failed to update password > > > ==> /var/log/dirsrv/slapd-pruebas/audit <== > time: 20100628122637 > dn: uid=10000001s,XXXXXXXXXXXXX > changetype: modify > delete: sambaLMPassword > sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409 > - > add: sambaLMPassword > sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC > - > delete: sambaNTPassword > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52 > - > add: sambaNTPassword > sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D > - > delete: sambaPwdLastSet > sambaPwdLastSet: 1277720109 > - > add: sambaPwdLastSet > sambaPwdLastSet: 1277720798 > - > replace: modifiersname > modifiersname: uid=adminsamba,XXXXXXXXXXX > - > replace: modifytimestamp > modifytimestamp: 20100628102637Z > - > > So, the Samba passwords are changed, but the unix password is not changed > because the LDAP rejects it because it is not as string as required. Is > there any way to avoid this? Shouldn't the unix password be changed before > the samba passwords to check if the LDAP server accepts it? > > Regards. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Willy ************************************* Dr. W.K. Offermans CAT Postdoctoral Fellow CAT Catalytic Center Institut f�r Technische und Makromolekulare Chemie RWTH Aachen Worringerweg 1, Raum 38C-150 D-52074 Aachen, Germany Phone: +49 241 80 28592 Fax: +49 241 80 22593 Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: Willy(a)Offermans.Rompen.nl e-mail: Willy.Offermans(a)CatalyticCenter.RWTH-Aachen.de Powered by .... (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org
From: Juan Asensio Sánchez on 1 Jul 2010 08:50 Hi We are using 389 Directory Server (formerly Fedora Directory Server). http://directory.fedoraproject.org/ There, regarding to password policies, you can specifiy minimum password length, minimum digits, minimum letters, minimum uppercase, minimum lowercase, minimum simbols, minimum ascii characters, minimum group types of characters, password history, etc. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html Regards. El 1 de julio de 2010 14:27, Willy Offermans <Willy(a)offermans.rompen.nl>escribió: > Hello Samba Friend, > > I'm sorry that I cannot help you in finding an answer to your question, > but I'm rather interested in how you can add password policies to the > LDAP sever. Is this openldap? and how did you implement the policies? > > -- > Met vriendelijke groeten, > With kind regards, > Mit freundlichen Gruessen, > De jrus wah, > > Willy > > ************************************* > Dr. W.K. Offermans > CAT Postdoctoral Fellow > CAT Catalytic Center > Institut für Technische und Makromolekulare Chemie > RWTH Aachen > Worringerweg 1, Raum 38C-150 > D-52074 Aachen, Germany > Phone: +49 241 80 28592 > Fax: +49 241 80 22593 > Home: +31 45 544 49 44 > Mobile: +31 681 15 87 68 > e-mail: Willy(a)Offermans.Rompen.nl > e-mail: Willy.Offermans(a)CatalyticCenter.RWTH-Aachen.de > > Powered by .... > > (__) > \\\'',) > \/ \ ^ > .\._/_) > > www.FreeBSD.org > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Björn Jacke on 6 Jul 2010 05:10
On 2010-06-28 at 12:40 +0200 Juan Asensio Sánchez sent off: > So, the Samba passwords are changed, but the unix password is not changed > because the LDAP rejects it because it is not as string as required. Is > there any way to avoid this? Shouldn't the unix password be changed before > the samba passwords to check if the LDAP server accepts it? this is also described in https://bugzilla.samba.org/show_bug.cgi?id=7101 can you please try out how well the patch from https://bugzilla.samba.org/attachment.cgi?id=5277 works for you? Thanks Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |