I am using samba 3.0.23b with OpenLDAP. Everything is fine but when i try to configure Acount policies with pdbedit this option will not read from or write to ldap, the where set in the local tdb. Example: pdbedit -P "min password length" WARNING: The "printer admin" option is deprecated smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST.DE))] smbldap_open_connection: connection opened smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST.DE))] smbldap_open_connection: connection opened account policy "min password length" description: Minimal password length (default: 5) account policy "min password length" value is: 5 This happens allthough i have set sambaMinPwdLength=10 in TEST.DE (on my LDAP-server) In the LDAP-logs i saw that only the old attributes like RIDBase where requested while this operation.
Created attachment 2130 [details] output of pdbedit -d10 -P "bad lockout attempt" -C 3
It's a known deficiency, closing as "later". Volker
(In reply to comment #2) > It's a known deficiency, closing as "later". > > Volker > Hello Volker, is there another bugreport regarding this ? Do you have an idea when this issue will be solved ? Thanks Holger
Argl, sorry, I was wrong. This is confusing. Before account policies are stored in LDAP at all, you need to migrate them from tdb to LDAP with pdbedit -i tdbsam -e ldapsam -y Günther, I would propose to remove this account_policy_migrated flag. We don't do this for groups and users, and I don't see a reason to do it for the policies. What do you think? Volker
Volker, the manual migration was by my request. Although, I willing to automatically migrate the policy settings in the next release. Assuming that we know everything is working ok.
Sure, agreed. I'm not asking for automatic migration, I'm asking to remove the definite need to do the manual migration. I would like to have it the same as for users and group mappings: Whatever the passdb backend option says is relevant. This is not the case for account policies. If you change from tdbsam or smbpasswd to ldap, then without explicit migration the account policy values still end up in the tdb. Changing this would mean that for the caching functionality (do we really need that?) we would have to use another mechanism. gencache might be the appropriate place. Volker
I agree this should work the same as group mapping storage and migration. Let's take it on the tech list for more discussion though :-)
done :-) Volker
comment #6 sounded good. Does anyone remember the result from the tech list discussion?
(In reply to comment #9) > comment #6 sounded good. Does anyone remember the result from the tech list > discussion? IIRC, Volker moved at least the caching stuff to gencache. Just my 2cents.