For the moment the password policy settings are only enforced when we change the password through the "samdb_set_password" call in dsdb/common/util.c but not if we change it directly in the LDB (e.g. the "userPassword" attribute).
We need to write a new LDB module which should contain "stolen" code from "samdb_set_password" and which performs in both cases the full checks. "samdb_set_password" basically could remain then as a simple wrapper for a LDB modify operation on the "userPassword" attribute (and maybe provide some informations for the server - like now).
My passwords work has now been finally merged.
For the last step I need your help Nadia: regarding user password changes over LDAP [MS-ADTS 220.127.116.11.1.5 Password Modify Operations] you need to change the ACL module so that it behaves as follows:
- The password attributes which we do understand are "unicodePwd", "dBCSPwd", "clearTextPassword", "userPassword". On each of the four possibilities you have to determine if it is a set or a change (the call "samdb_msg_find_old_and_new_ldb_val" makes this pretty easy: both values NULL - attribute isn't used at all; new value != NULL, old value == NULL - password set; new value != NULL, old value != NULL - password change).
- An administrator can always do change and set, a user can only do a change when he has the "User-Change-Password" control access right.
- If there are more change and sets operations mixed up: I will break in the "password_hash" module if the sequence isn't valid (so you don't have to test if multiple operations are valid or not). But just break on invalid permissions.
Access checks implemented ad passing.