Buchan Milne wrote:
Furthermore, if the above change is made so that ppolicy can evaluate
the plaintext password, what exactly will the interaction between LDAP
and the clients be if it fails to clear ppolicy constraints?
slapd will fail the operation, with a suitable error code and error
text. Whether samba will send a useful error to the client (so that
the client workstation displays an appropriate error message) is the
next question.
According to Thierry's post
http://www.openldap.org/lists/openldap-software/200804/msg00066.html
there's a problem there as well, but that's certainly a Samba or Windows
issue, and nothing we can address in LDAP.
The third question is, what will happen to the samba password expiry
attributes, for both the case of changing via samba (should be fine)
and changing via ldap (won't be updated, samba passwords will still
appear to be expired). I also haven't had a chance to look at fixing
that (and again, the Heimdal equivalent also applies).
Current CVS smbk5pwd already takes care of these Samba attributes. What
version are you looking at?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
