Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-09 Thread simo 

On Wed, 2008-04-09 at 15:11 -0400, Adam Tauno Williams wrote:
> On Wed, 2008-04-09 at 11:57 -0400, simo wrote:
> > On Wed, 2008-04-09 at 17:54 +0200, Volker Lendecke wrote:
> > > On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote:
> > > > > > How are these policies exactly defined in LDAP? Are they
> > > > > > visible for LDAP clients?
> > > > > It's an explicit entry in LDAP:
> > > > ppolicy support in Samba would be awesome.  Would make PCI/DSS (and
> > > > other regulatory compliance) *much* easier for shops using a Samba PDC.
> > > > 
> > > Ok, that looks doable. Problem is as always developer time.
> > > I'd be happy to review patches though.
> > FYI: we are discussing for a new IETF blessed RFC proposal for a
> > standard way to handle password policies in LDAP. Nothing implemented in
> > servers so far of course, but better to take that in account if someone
> > is going to write a patch so that it will be easier to switch to the
> > "standard" if we get one at the end of the process.
> 
> This is different than the existing one?  From the ppolicy man page:
> "The  ppolicy overlay is an implementation of the most recent IETF Pass-
> word Policy proposal for LDAP."  
> 
> 

Yes it is different (although the new one is based on the Behera one),
this is the current one:
http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-passwords-00.txt

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <[EMAIL PROTECTED]>
Senior Software Engineer at Red Hat Inc. <[EMAIL PROTECTED]>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-09 Thread Adam Tauno Williams 
On Wed, 2008-04-09 at 11:57 -0400, simo wrote:
> On Wed, 2008-04-09 at 17:54 +0200, Volker Lendecke wrote:
> > On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote:
> > > > > How are these policies exactly defined in LDAP? Are they
> > > > > visible for LDAP clients?
> > > > It's an explicit entry in LDAP:
> > > ppolicy support in Samba would be awesome.  Would make PCI/DSS (and
> > > other regulatory compliance) *much* easier for shops using a Samba PDC.
> > > 
> > Ok, that looks doable. Problem is as always developer time.
> > I'd be happy to review patches though.
> FYI: we are discussing for a new IETF blessed RFC proposal for a
> standard way to handle password policies in LDAP. Nothing implemented in
> servers so far of course, but better to take that in account if someone
> is going to write a patch so that it will be easier to switch to the
> "standard" if we get one at the end of the process.

This is different than the existing one?  From the ppolicy man page:
"The  ppolicy overlay is an implementation of the most recent IETF Pass-
word Policy proposal for LDAP."  



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-09 Thread simo 

On Wed, 2008-04-09 at 17:54 +0200, Volker Lendecke wrote:
> On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote:
> > > > How are these policies exactly defined in LDAP? Are they
> > > > visible for LDAP clients?
> > > It's an explicit entry in LDAP:
> > 
> > ppolicy support in Samba would be awesome.  Would make PCI/DSS (and
> > other regulatory compliance) *much* easier for shops using a Samba PDC.
> > 
> > 
> 
> Ok, that looks doable. Problem is as always developer time.
> I'd be happy to review patches though.

FYI: we are discussing for a new IETF blessed RFC proposal for a
standard way to handle password policies in LDAP. Nothing implemented in
servers so far of course, but better to take that in account if someone
is going to write a patch so that it will be easier to switch to the
"standard" if we get one at the end of the process.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <[EMAIL PROTECTED]>
Senior Software Engineer at Red Hat Inc. <[EMAIL PROTECTED]>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-09 Thread Volker Lendecke 
On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote:
> > > How are these policies exactly defined in LDAP? Are they
> > > visible for LDAP clients?
> > It's an explicit entry in LDAP:
> 
> ppolicy support in Samba would be awesome.  Would make PCI/DSS (and
> other regulatory compliance) *much* easier for shops using a Samba PDC.
> 
> 

Ok, that looks doable. Problem is as always developer time.
I'd be happy to review patches though.

Volker

P.S: http://samba.org/samba/support/ very likely lists
companies where you can buy that developer time. ;-))


pgpCy1acyE8mg.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-09 Thread Adam Tauno Williams 
> >> I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
> >> why it's showing the user this message instead.  I see I can edit the
> >> values that Samba is showing the user with pdbedit, but I shouldn't need
> >> to edit that - my password policy is defined in LDAP, and those are the
> >> message I'd like the users to see.
> > How are these policies exactly defined in LDAP? Are they
> > visible for LDAP clients?
> It's an explicit entry in LDAP:

ppolicy support in Samba would be awesome.  Would make PCI/DSS (and
other regulatory compliance) *much* easier for shops using a Samba PDC.



> 56 cn=Password Policy,ou=Policies,dc=example,dc=com
> cn: Password Policy
> pwdAttribute: userPassword
> pwdMaxAge: 3888000
> The check_password.so module is what's doing the strength checks,
> similar to how the 'check password script' works in Samba.  All other
> password policy attributes listed above are visible (read access) from a
> directory listing (for every user).
> > If they are visible, then we might have a chance to return
> > them to the client, although this would require coding. If
> > they are defined in some LDAP server config file that is not
> > visible to Samba, then we can't export those to the client.
> It sounds like everything is pretty cut and dry with the exception of
> the checks enforced by check_password.so.  But, I think if Samba just
> returned the errors sent back by LDAP/check_password.so (e.g., "password
> too short", "password does not meet required strength checks", etc.),
> that would suffice. 

Yep,  that is what happens.

>  I can see that Samba receives these error messages,
> but seems to do nothing with them (log information included in previous
> posts in this thread).  If that can be rectified, that should get us
> pretty close, no?

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-09 Thread Ryan Steele 
Volker Lendecke wrote:
> On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote:
>
>   
>> I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
>> why it's showing the user this message instead.  I see I can edit the
>> values that Samba is showing the user with pdbedit, but I shouldn't need
>> to edit that - my password policy is defined in LDAP, and those are the
>> message I'd like the users to see.
>> 
>
> How are these policies exactly defined in LDAP? Are they
> visible for LDAP clients?
>   

It's an explicit entry in LDAP:

56 cn=Password Policy,ou=Policies,dc=example,dc=com
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdMinAge: 3468000
pwdMinLength: 6
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdLockout: TRUE
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdInHistory: 6
pwdMaxFailure: 2
pwdLockoutDuration: 60
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdCheckModule: check_password.so
pwdSafeModify: FALSE

The check_password.so module is what's doing the strength checks,
similar to how the 'check password script' works in Samba.  All other
password policy attributes listed above are visible (read access) from a
directory listing (for every user).

> If they are visible, then we might have a chance to return
> them to the client, although this would require coding. If
> they are defined in some LDAP server config file that is not
> visible to Samba, then we can't export those to the client.
>   

It sounds like everything is pretty cut and dry with the exception of
the checks enforced by check_password.so.  But, I think if Samba just
returned the errors sent back by LDAP/check_password.so (e.g., "password
too short", "password does not meet required strength checks", etc.),
that would suffice.  I can see that Samba receives these error messages,
but seems to do nothing with them (log information included in previous
posts in this thread).  If that can be rectified, that should get us
pretty close, no?

Thanks as always,
Ryan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-09 Thread Volker Lendecke 
On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote:

> I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
> why it's showing the user this message instead.  I see I can edit the
> values that Samba is showing the user with pdbedit, but I shouldn't need
> to edit that - my password policy is defined in LDAP, and those are the
> message I'd like the users to see.

How are these policies exactly defined in LDAP? Are they
visible for LDAP clients?

If they are visible, then we might have a chance to return
them to the client, although this would require coding. If
they are defined in some LDAP server config file that is not
visible to Samba, then we can't export those to the client.

Volker


pgpAqePw20C5S.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-08 Thread Ryan Steele 
Volker Lendecke wrote:
> On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote:
>   
>> It's not defined in my Samba source, but I guess that was the wrong
>> place to look.  On my system, /usr/include/ldap.h does in fact have that
>> defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
>> Windows still  reports that the password couldn't be changed because the
>> domain was unavailable... have I zigged where I should've zagged, or is
>> Samba not setting rc properly when it gets the response from LDAP?
>> 
>
> Please check that your LDAP server indeed does return 0x13
> over the 389 connection. You might also add a DEBUG
> statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) 
> to check what smbd sees. That's at least what I would do.
>
> Volker
>   

My initial process for building the binary package was flawed (the
makefile was using the wrong source tree).  After correcting that, the
new code has been inserted, and it is successfully returning
NT_STATUS_PASSWORD_RESTRICTION in pdb_ldap.c.  However, there is a
slight problem.  Instead of showing the user the message that LDAP is
passing back (and which Samba receives) which is:

[2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472)
  Extended operation failed with error: Constraint violation (Password
fails quality checking policy)
[2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
  ldapsam_modify_entry: LDAP Password could not be changed for user
tester: Constraint violation
Password fails quality checking policy

...it returns "Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old.  Please type a different password.  Type a password that meets
these requirements in both text boxes."  Is it possible to have Samba
convey to the user the message that LDAP returns, instead of returning
the aformentioned message?  I want the error the users see to reflect
why they're actually being denied a password change. 

I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
why it's showing the user this message instead.  I see I can edit the
values that Samba is showing the user with pdbedit, but I shouldn't need
to edit that - my password policy is defined in LDAP, and those are the
message I'd like the users to see.

Thanks as always for your help and insight,

Ryan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-08 Thread Ryan Steele 
Volker Lendecke wrote:
> On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote:
>   
>> It's not defined in my Samba source, but I guess that was the wrong
>> place to look.  On my system, /usr/include/ldap.h does in fact have that
>> defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
>> Windows still  reports that the password couldn't be changed because the
>> domain was unavailable... have I zigged where I should've zagged, or is
>> Samba not setting rc properly when it gets the response from LDAP?
>> 
>
> Please check that your LDAP server indeed does return 0x13
> over the 389 connection. You might also add a DEBUG
> statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) 
> to check what smbd sees. That's at least what I would do.
>
> Volker
>   
My initial process was flawed (the makefile I was using was pointing to
the wrong source tree).  I have now gotten the new code in pdb_ldap.c
working, but there's still a slight issue.  It returns
NT_STATUS_PASSWORD_RESTRICTION as expected, but instead of passing back
the message that LDAP sends, which is:

[2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472)
  Extended operation failed with error: Constraint violation (Password
fails quality checking policy)
[2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
  ldapsam_modify_entry: LDAP Password could not be changed for user
tester: Constraint violation
Password fails quality checking policy

...it returns "Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old.  Please type a different password.  Type a password that meets
these requirements in both text boxes."  Is there any way to get Samba
to use what it's being given by LDAP, instead of using these values? 
I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
where it's actually getting those from, but it's not what the users are
being restricted by and I'd like the error messages to reflect the LDAP
restrictions that it's passing back to Samba.

Thanks as always for your help and insight,

Ryan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-07 Thread Volker Lendecke 
On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote:
> It's not defined in my Samba source, but I guess that was the wrong
> place to look.  On my system, /usr/include/ldap.h does in fact have that
> defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
> Windows still  reports that the password couldn't be changed because the
> domain was unavailable... have I zigged where I should've zagged, or is
> Samba not setting rc properly when it gets the response from LDAP?

Please check that your LDAP server indeed does return 0x13
over the 389 connection. You might also add a DEBUG
statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) 
to check what smbd sees. That's at least what I would do.

Volker


pgpjjJRceeDKq.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-07 Thread Ryan Steele 
Volker Lendecke wrote:
> On Mon, Apr 07, 2008 at 02:03:32PM -0400, Ryan Steele wrote:
>   
>> #if defined(LDAP_CONSTRAINT_VIOLATION)
>> if (rc == LDAP_CONSTRAINT_VIOLATION)
>> return NT_STATUS_PASSWORD_RESTRICTION;
>> #endif
>>
>> ...to pdb_ldap.c didn't seem to change the behavior at all.  I suspect
>> it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my
>> 3.0.24 source, though I could certainly be wrong.  I'm grabbing the
>> latest source from git to see where that's defined, but if anybody wants
>> to head me off at the pass with the information, it's certainly welcome.
>> 
>
> If your LDAP libs don't have that define, you might try to
> use the value from OpenLDAP:
>
> #define LDAP_CONSTRAINT_VIOLATION   0x13
>
> Volker
>   

It's not defined in my Samba source, but I guess that was the wrong
place to look.  On my system, /usr/include/ldap.h does in fact have that
defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
Windows still  reports that the password couldn't be changed because the
domain was unavailable... have I zigged where I should've zagged, or is
Samba not setting rc properly when it gets the response from LDAP?

Thanks,
Ryan


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-07 Thread Volker Lendecke 
On Mon, Apr 07, 2008 at 02:03:32PM -0400, Ryan Steele wrote:
> 
> #if defined(LDAP_CONSTRAINT_VIOLATION)
> if (rc == LDAP_CONSTRAINT_VIOLATION)
> return NT_STATUS_PASSWORD_RESTRICTION;
> #endif
> 
> ...to pdb_ldap.c didn't seem to change the behavior at all.  I suspect
> it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my
> 3.0.24 source, though I could certainly be wrong.  I'm grabbing the
> latest source from git to see where that's defined, but if anybody wants
> to head me off at the pass with the information, it's certainly welcome.

If your LDAP libs don't have that define, you might try to
use the value from OpenLDAP:

#define LDAP_CONSTRAINT_VIOLATION   0x13

Volker


pgpNsUosNVbTR.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-07 Thread Ryan Steele 
Volker Lendecke wrote:
> On Fri, Apr 04, 2008 at 04:47:56PM -0400, John Drescher wrote:
>   
>> I think the bug/problem is that this message is being displayed
>> instead of "Password could not be changed for user
>>   tester: Constraint violation" and "does not pass required number  of
>> strength checks (1 of 3)."
>> 
>
> Current 3.2 has the attached code. Might help for you.
>
> Volker
>   
Adding:

#if defined(LDAP_CONSTRAINT_VIOLATION)
if (rc == LDAP_CONSTRAINT_VIOLATION)
return NT_STATUS_PASSWORD_RESTRICTION;
#endif

...to pdb_ldap.c didn't seem to change the behavior at all.  I suspect
it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my
3.0.24 source, though I could certainly be wrong.  I'm grabbing the
latest source from git to see where that's defined, but if anybody wants
to head me off at the pass with the information, it's certainly welcome.

Thanks,
Ryan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-05 Thread Volker Lendecke 
On Fri, Apr 04, 2008 at 04:47:56PM -0400, John Drescher wrote:
> I think the bug/problem is that this message is being displayed
> instead of "Password could not be changed for user
>   tester: Constraint violation" and "does not pass required number  of
> strength checks (1 of 3)."

Current 3.2 has the attached code. Might help for you.

Volker
diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c
index 54c2500..c07d59a 100644
--- a/source/passdb/pdb_ldap.c
+++ b/source/passdb/pdb_ldap.c
@@ -1644,6 +1644,10 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods 
*my_methods,
pdb_get_username(newpwd), ldap_err2string(rc), 
ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
ber_bvfree(bv);
+#if defined(LDAP_CONSTRAINT_VIOLATION)
+   if (rc == LDAP_CONSTRAINT_VIOLATION)
+   return NT_STATUS_PASSWORD_RESTRICTION;
+#endif
return NT_STATUS_UNSUCCESSFUL;
} else {
DEBUG(3,("ldapsam_modify_entry: LDAP Password changed 
for user %s\n",pdb_get_username(newpwd)));


pgpVwFjpxNj82.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly

2008-04-04 Thread John Drescher 
On Fri, Apr 4, 2008 at 4:41 PM, Ryan Steele <[EMAIL PROTECTED]> wrote:
> Hey list,
>
>  Recently I've gotten my Samba PDC to successfully use an OpenLDAP
>  backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP.
>  However, Samba appears to incorrectly handle responses from LDAP's
>  ppolicy overlay, even though it very clearly receives them.  If I enter
>  in a password (be it through Ctrl+Alt+Delete or when a password expires
>  and the user is prompted at logon) that violates the ppolicy
>  constraints, I get one of two scenarios.
>
>  1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf),
>  Windows reports the password change was successful ("Your password has
>  been changed" dialog box), when in fact none of the attributes have
>  changed (including but not limited to sambaNTPassword, sambaLMPassword.
>
>  2. If logging is turned on (anything other than 0 in the slapd.conf),
>  Windows reports that "The system cannot change your password now because
>  the domain DOMAINNAME is unavailable."  While this is certainly not the
>  case, at least in this situation the user is informed that the password
>  change did not work.
>
>  I can see that LDAP does indeed pass back a response to Samba; from the
>  LDAP logs:
>
>  Apr  4 10:47:37 servername slapd[12709]: do_extended
>  Apr  4 10:47:37 servername slapd[12709]: >>> dnPrettyNormal:
>  
>  Apr  4 10:47:37 servername slapd[12709]: <<< dnPrettyNormal:
>  ,
>  
>  Apr  4 10:47:37 servername slapd[12709]:
>  bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]:
>  bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
>  Apr  4 10:47:37 servername slapd[12709]:
>  bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
>  Apr  4 10:47:37 servername slapd[12709]: bdb_dn2entry("cn=password
>  policy,ou=policies,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
>  Apr  4 10:47:37 servername slapd[12709]: check_password_quality: module
>  error: (check_password.so) Password for
>  dn="uid=tester,ou=Users,dc=example,dc=com" does not pass required number
>  of strength checks (1 of 3).[1]
>  Apr  4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3
>  Apr  4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oid=
>  len=0
>  Apr  4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25
>  tag=120 err=19
>  Apr  4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77
>  Apr  4 10:47:42 servername slapd[12709]: connection_read(19): checking
>  for input on id=77
>  Apr  4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed
>  errno=0 (Success)
>  Apr  4 10:47:42 servername slapd[12709]: connection_closing: readying
>  conn=77 sd=19 for close
>  Apr  4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1
>  Apr  4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76
>  Apr  4 10:47:42 servername slapd[12709]: connection_read(13): checking
>  for input on id=76
>  Apr  4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed
>  errno=0 (Success)
>  Apr  4 10:47:42 servername slapd[12709]: connection_closing: readying
>  conn=76 sd=13 for close
>  Apr  4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1
>
>  ...and, Samba does receive this error message intact.  From the Samba logs:
>
>  [2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777)
>   ldapsam_update_sam_account: user tester to be modified has dn:
>  uid=tester,ou=Users,dc=example,dc=com
>  [2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
>   init_ldap_from_sam: Setting entry for user: tester
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520)
>   smbldap_make_mod: deleting attribute |sambaPwdCanChange| values
>  |1207320457|
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529)
>   smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514|
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504)
>   smbldap_make_mod: attribute |sambaPwdMustChange| not changed.
>  [2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363)
>   smbldap_modify: dn => [uid=tester,ou=Users,dc=example,dc=com]
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472)
>   Extended operation failed with error: Constraint violation (Password
>  fails quality checking policy)
>  [2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
>   ldapsam_modify_entry: LDAP Password could not be changed for user
>  tester: Constraint violation
> Password fails quality checking policy
>  [2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
>   pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1
>  [2008/04/04 12:11:54, 5]
>  rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534)
>