Ryan Steele wrote:
Howard and others,
Let me ask two theoretical questions, before I submit my comments below. Windows XP/2000/et. al. send their passwords via SMB hashed.
That is not true for a password change request, so the rest of this question is irrelevant.
So, without configuring those workstations to send the passwords plaintext over the wire, is there any way for ppolicy to act on the ldapmodify initiated by Samba from Windows clients attempting to change their passwords?
Furthermore, if the above change is made so that ppolicy can evaluate the plaintext password, what exactly will the interaction between LDAP and the clients be if it fails to clear ppolicy constraints?
When you get it working you'll know. Questions of the form "what will happen if" will always get answered by "try it and see."
This is syslog output, not debug output. I said to bump up the debug level.
Maybe I'm misunderstanding. From the slapd.conf manpage:
loglevel<integer> [...] Specify the level at which debugging statements and operation statistics should be syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility).
I thought "debugging statements" is what you wanted? When I start slapd with the -d option, I seem to get the same output as when I specify 'loglevel N' in the slapd.conf.
As I've said countless times - syslog is not a debugging tool. It is lossy; when the syslog daemon gets too busy it discards messages. If it could be used for everything there would be no need for us to provide a "-d" option. But in fact, we *do* provide a "-d" option, and debugging is its only purpose.
<snip>
As already mentioned, ppolicy doesn't restrict the rootDN. If you want your policy constraints to work, you have to bind with some other DN to make the changes. That will of course mean that you have to give that DN write access to the selected attributes in your ACL.
Ok - I'll create an LDAP user specifically for changing passwords, and set that as my "ldap admin dn" in the smb.conf, so the change won't be done by the rootdn, as recommended by Adam and yourself. I'll then create an entry in the slapd.conf like the one below and give that a shot.
# ACL's access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
by self write by * authaccess toattrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange,pwdChangedTime,pwdHistory by dn="cn=pwchanger,dc=example,dc=com" write
You need to re-read the ACL docs.