Buchan Milne wrote:
Furthermore, if the above change is made so that ppolicy can evaluate the plaintext password, what exactly will the interaction between LDAP and the clients be if it fails to clear ppolicy constraints?
slapd will fail the operation, with a suitable error code and error text. Whether samba will send a useful error to the client (so that the client workstation displays an appropriate error message) is the next question.
According to Thierry's post http://www.openldap.org/lists/openldap-software/200804/msg00066.html there's a problem there as well, but that's certainly a Samba or Windows issue, and nothing we can address in LDAP.
The third question is, what will happen to the samba password expiry attributes, for both the case of changing via samba (should be fine) and changing via ldap (won't be updated, samba passwords will still appear to be expired). I also haven't had a chance to look at fixing that (and again, the Heimdal equivalent also applies).
Current CVS smbk5pwd already takes care of these Samba attributes. What version are you looking at?