Thanks for the reply! I do have SSP setup in AD mode.
When I try to set the $who_change_password to "user" no one can change their password. SSP just fires back "Password was refused by the LDAP directory" If I set the $who_change_password to manager, and the ldap_binddn is set to a service account user "ssp" who is delegated the following active directory rights (on Descendant User Objects) on the OU that houses all our users. Read pwdLastSet Write pwdLastSet Read lockoutTime Write lockoutTime Change Password Reset Password Then passwords can be changed, but it ignores the minimum password age I set in Samba4. I tried removing the "Reset Password" delegation (because that's just like what an administrator would do, and I thought it might be bypassing the password policies) however when I did that I received the same "Password was refused by the LDAP directory" as when setting the who change password variable to "user". Thoughts? :D On Wed, Aug 30, 2017 at 12:12 PM, Clément OUDOT <clem.ou...@gmail.com> wrote: > > > 2017-08-30 17:11 GMT+02:00 Taylor Hammerling <thammerl...@tcsbasys.com>: > >> I am using SSP against a Samba4 domain. >> >> I have set up the following password requirements in Samba4 (using >> samba-tool) >> >> Password complexity: off >> Store plaintext passwords: off >> Password history length: 24 >> Minimum password length: 12 >> Minimum password age (days): 30 >> Maximum password age (days): 210 >> Account lockout duration (mins): 30 >> Account lockout threshold (attempts): 10 >> Reset account lockout after (mins): 30 >> >> in SSP I have set up the following password requirements >> >> Minimum length: 12 >> Minimum number of different classes of characters (IE: upper, lower, >> numeric, special): 3 >> Forbidden characters: @%$ >> Your new password may not be the same as your old password >> Your new password may not be the same as your login >> >> I set the minimum password age to 30 days in the hopes that it would >> prevent someone from flip flopping passwords. >> IE changing their password twice in a row to get around actually having >> to use a new password ever. >> Like this >> old password = 'My super great password!" >> new password = 'My new super great password!' >> >> old password = 'My new super great password!' >> new password = 'My super great password!' >> >> Unfortunately I was able to flip flop passwords without issue, even >> though I have the Min password age set to 30 in Samba4. >> >> I am debating building a bit into the PHP of SSP which will document when >> a user changes their password, and then not allow them to change it again >> thru SSP until at least 30 days have passed. >> If there is a better/easier/builtin way, I'd love to hear about it! >> >> Any suggestions/help would be greatly appreciated! >> > > > > > Hello, > > first, note that Samba4 is an AD like so you need to configure SSP with AD > mode. > > Then you must ensure that the $ldap_binddn you use in configuration is not > a power user that bypass password policy. Another solution is to force > password change by user, see $who_change_password parameter. > > It Samba4 directory accept the password change, then SSP can not do > anything to prevent it. > > > > Clément. > > _______________________________________________ > ltb-users mailing list > ltb-users@lists.ltb-project.org > https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users > -- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
_______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
