Volker Lendecke wrote:
On Fri, Sep 26, 2008 at 12:16:22PM -0400, Ryan Steele wrote:
Some months back, I entertained a conversation with Volker Lendecke,
Adam Tauno Williams, and Simo Sorce about getting Samba to play nice
with LDAP's ppolicy overlay. (Thread starts here:
http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends
here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html)
I was wondering if any progress had been made on this front that would
make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit
more streamlined? Certainly, there have to be more than a few folks out
there who would see this as a huge leap for Samba, and give it more of
an edge in the market?
At least I'm not aware of anything that has been done.
Sorry,
Volker
Well, given that nothing has been done, what are other folks doing to
synchronize Samba password policies with LDAP password policies?
I remember (and the aformentioned thread explains) the situation where a
Windows client would attempt to change their password to something weak,
and Samba would then ask LDAP if the password met the ppolicy
restrictions. If it didn't, LDAP would return a message stating that
the password policy was violated, but Samba would return a completely
unrelated error message (even though it clearly got the ppolicy message
from LDAP).
My workaround was to implement the same security policy in Samba via
pdbedit, so essentially the LDAP policies were duplicated in Samba.
Another thread I was involved in back then
(http://lists.samba.org/archive/samba/2008-April/139594.html) briefly
describes this. But, again, this is far from the perfect situation of
having one universal way to enforce password policies, and still has
it's share of problems.
I'd be interested to hear what others have done to circumvent or
otherwise work around this type of problem.
Respectfully,
Ryan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
