while using freeIPA as a user database for a samba installation I found
a problem in the enforcement of password policies. FreeIPA password
policies are more detailed than samba's, in freeIPA one may enforce
password history and the number of character classes in a password, but
normally samba connects to freeIPA with the "Directory Manager" so those
policies are not enforced.

Reading the source of ipa_pwd_extop I see there are three possibilities
when changing passwords:

      * Password change by the user, with full enforcement of policies
      * Password change by an admin, with no enforcement of policies and
        the new password is set as expired so the user has to change it
        on next logon
      * Password change by Directory Manager, with no enforcement of
        policies and the password is not set as expired.

None of the aforementioned possibilities are ideal for samba, samba
should connect to freeIPA with a user privileged enough to change
password for all users but with fully enforced policies.

What do you think about this? Would you consider adding such feature?
Would you accept patches?

Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Freeipa-devel mailing list

Reply via email to