Ryan Steele wrote:
Hey Howard, Adam, and List:
I'm not even sure this is the path I ought to be going down. If smbk5pwd has no knowledge of ppolicy, and password changes from Windows clients won't adhere to those restrictions with any combination of configuration options in any currently known universe, perhaps what I really need is an alternate strategy. I'm open to suggestion; my only requirements are that password changes from a Windows workstation be subjected to the ppolicy constraints, and that the LDAP and Samba passwords all be in sync.
However, here are the logs entries and relevant slapd configuration options - pastings inline below:
Howard Chu wrote:
Ryan Steele wrote:
I realize that 'only' is what I want and that's what I'm using, however I think smbk5pwd is working. The two snippets below are show the differences after a Windows user changes his password (from the ctrl+alt+delete menu):
Don't guess. Turn up the slapd debug level and show what it logs when you perform the actual password change.
Note that although the logs seem to indicate (at least to my untrained eyes) that access to userPassword, sambaLMPassword, and sambaNTPassword is denied, Windows tells me it's been updated, and I can in fact log out and log back in with the new password.
This is syslog output, not debug output. I said to bump up the debug level.
Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "userPassword" requested
The only other references I found to these attributes in the logs (which are at loglevel 128) are:
Apr 3 07:27:00 ldapmaster slapd[1012]:<= root access granted Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "sambaLMPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]:<= root access granted Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "sambaNTPassword" requested
As already mentioned, ppolicy doesn't restrict the rootDN. If you want your policy constraints to work, you have to bind with some other DN to make the changes. That will of course mean that you have to give that DN write access to the selected attributes in your ACL.
Also, don't make us guess - post the relevant portion of your slapd configuration.
include /etc/openldap/schema/ppolicy.schema
# Dynamic modules moduleload smbk5pwd.la
rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
# Overlays - ppolicy for enforcing password restrictions and smbk5pwd for syncing LDAP and Samba passwords overlay smbk5pwd overlay ppolicy ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com" ppolicy_use_lockout
# ACL's access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange by self write by * auth
access to * by * read