Le 31/08/2017 à 14:19, Taylor Hammerling a écrit :
Clement - I sincerely appreciate your help on this! Unfortunately if
SSP gives a generic "Password was refused by the LDAP directory" if
any of the LDAP restrictions are triggered I'm not going to be able to
use LDAP password restrictions. My end users absolutely need specific
error messages, or they get REALLY ornery :D I'm guessing that LDAP
doesn't provide SSP with any more information other than "REFUSED!".
SSP is coded with PHP, and PHP LDAP library still not has support for
LDAP control policy. Anyway, I'm not sure Samba4 respect the password
policy draft either.
For the moment you can configure some restrictions in SSP configuration
so that if SSP accept the password, then it is strng enough to be
accepted by the LDAP directory.
What I'm going to do is set up a GPO to prevent users from changing
their passwords thru windows. Then I'm going to turn off the LDAP
password restrictions entirely. Then I'm going to add a bit into the
SSP code that will track how frequently each user has changed their
password and throw an error if they have changed their password within
the last X days.
This way the end user knows exactly why their password change failed,
and I could even provide them with the date they can change their
password again in the error msg.
You will need to patch SSP code to do that, and see how to get that
information from Samba 4 directory.
Note that a 1.1 will be soon released with a lot of fixes and
enhancement:
https://github.com/ltb-project/self-service-password/milestone/3?closed=1
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot
_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
