[Freeipa-devel] freeIPA as a samba backend
Rob Crittenden
rcritten at redhat.com
Tue Jun 26 14:36:32 UTC 2012
Loris Santamaria wrote:
> Hi,
>
> while using freeIPA as a user database for a samba installation I found
> a problem in the enforcement of password policies. FreeIPA password
> policies are more detailed than samba's, in freeIPA one may enforce
> password history and the number of character classes in a password, but
> normally samba connects to freeIPA with the "Directory Manager" so those
> policies are not enforced.
>
> Reading the source of ipa_pwd_extop I see there are three possibilities
> when changing passwords:
>
> * Password change by the user, with full enforcement of policies
> * Password change by an admin, with no enforcement of policies and
> the new password is set as expired so the user has to change it
> on next logon
> * Password change by Directory Manager, with no enforcement of
> policies and the password is not set as expired.
>
> None of the aforementioned possibilities are ideal for samba, samba
> should connect to freeIPA with a user privileged enough to change
> password for all users but with fully enforced policies.
>
> What do you think about this? Would you consider adding such feature?
> Would you accept patches?
This would bump up the complexity a bit as we'd need a fourth class of
password change types. This could be managed similar to the passsync_dn
list. You'd need to bind to the IPA LDAP server using a special account,
which is probably a better idea than DM anyway.
Yes, patches are accepted.
regards
rob
More information about the Freeipa-devel
mailing list