2017-08-30 17:11 GMT+02:00 Taylor Hammerling <thammerl...@tcsbasys.com>:
> I am using SSP against a Samba4 domain. > > I have set up the following password requirements in Samba4 (using > samba-tool) > > Password complexity: off > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 12 > Minimum password age (days): 30 > Maximum password age (days): 210 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 10 > Reset account lockout after (mins): 30 > > in SSP I have set up the following password requirements > > Minimum length: 12 > Minimum number of different classes of characters (IE: upper, lower, > numeric, special): 3 > Forbidden characters: @%$ > Your new password may not be the same as your old password > Your new password may not be the same as your login > > I set the minimum password age to 30 days in the hopes that it would > prevent someone from flip flopping passwords. > IE changing their password twice in a row to get around actually having to > use a new password ever. > Like this > old password = 'My super great password!" > new password = 'My new super great password!' > > old password = 'My new super great password!' > new password = 'My super great password!' > > Unfortunately I was able to flip flop passwords without issue, even though > I have the Min password age set to 30 in Samba4. > > I am debating building a bit into the PHP of SSP which will document when > a user changes their password, and then not allow them to change it again > thru SSP until at least 30 days have passed. > If there is a better/easier/builtin way, I'd love to hear about it! > > Any suggestions/help would be greatly appreciated! > Hello, first, note that Samba4 is an AD like so you need to configure SSP with AD mode. Then you must ensure that the $ldap_binddn you use in configuration is not a power user that bypass password policy. Another solution is to force password change by user, see $who_change_password parameter. It Samba4 directory accept the password change, then SSP can not do anything to prevent it. Clément.
_______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
