On Monday 13 August 2007 03:11, Andrew Bartlett wrote: > On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote: > > On Wednesday 08 August 2007 20:17, Matt Anderson wrote: > > > Dear Help, > > > > > > I'm currently running Samba with an LDAP passdb backend. I'm trying to > > > figure out how to NOT allow a particular user to change their password > > > (through Windows, or any interface). I've tried modifying the values > > > for sambaPwdCanChange and sambaPwdMustChange for a particular user, but > > > it seems like it only effects making them change their password, > > > instead of whether or not they're ALLOWED to. > > > > With OpenLDAP one can use > > ldap passwd sync = only > > in smb.conf and let the smbk5pwd overlay synchronize the LM and NT > > passwords. > > > > If you add the ppolicy overlay you have a clean way to prevent password > > changes for some acounts (through Windows, or any interface). > > For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE > > > > The only problem is that a Windows client reports a successful password > > change even though the password was not changed because of the above > > pwdPolicy. > > Was it not changed? To OpenLDAP, the change from Samba doesn't look > like a user change (because we set it using Samba's credentials). According to man 5 slapo-ppolicy: Note that some of the policies do not take effect when the operation is performed with the rootdn identity; all the operations, when performed with any other identity, may be subjected to constraints, like access control.
The pwdPolicy applies to my smb.conf ldap admin dn because it is not my slapd.conf rootdn. - I first remove the pwdPolicy from a user's account using my rootdn: $ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify delete: pwdPolicySubentry modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars" - I confirm that my slapd.conf ACLs allow my ldap admin dn to change a user's password: $ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify userPassword: secret1 modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars" - I apply a pwdPolicy: $ ldapsearch -LLL -b 'ou=Policies,o=stars' 'cn=frozen' dn: cn=frozen,ou=Policies,o=stars objectClass: pwdPolicy objectClass: device objectClass: top cn: frozen pwdAttribute: userPassword pwdAllowUserChange: FALSE $ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=frozen,ou=Policies,o=stars modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars" - Now my ldap admin dn cannot change the user's password: $ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify userPassword: secret2 modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars" ldap_modify: Insufficient access (50) additional info: User alteration of password is not allowed Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba