Bug 6634 - Always enforce the password policies
Summary: Always enforce the password policies
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P3 normal (vote)
Target Milestone: ---
Assignee: Nadezhda Ivanova
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks: 6600
  Show dependency treegraph
 
Reported: 2009-08-13 05:43 UTC by Matthias Dieter Wallnöfer
Modified: 2010-07-04 16:31 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dieter Wallnöfer 2009-08-13 05:43:28 UTC
For the moment the password policy settings are only enforced when we change the password through the "samdb_set_password" call in dsdb/common/util.c but not if we change it directly in the LDB (e.g. the "userPassword" attribute).

We need to write a new LDB module which should contain "stolen" code from "samdb_set_password" and which performs in both cases the full checks. "samdb_set_password" basically could remain then as a simple wrapper for a LDB modify operation on the "userPassword" attribute (and maybe provide some informations for the server - like now).
Comment 1 Matthias Dieter Wallnöfer 2010-05-10 12:39:30 UTC
My passwords work has now been finally merged.

For the last step I need your help Nadia: regarding user password changes over LDAP [MS-ADTS 3.1.1.3.1.5 Password Modify Operations] you need to change the ACL module so that it behaves as follows:

- The password attributes which we do understand are "unicodePwd", "dBCSPwd", "clearTextPassword", "userPassword". On each of the four possibilities you have to determine if it is a set or a change (the call "samdb_msg_find_old_and_new_ldb_val" makes this pretty easy: both values NULL - attribute isn't used at all; new value != NULL, old value == NULL - password set; new value != NULL, old value != NULL - password change).
- An administrator can always do change and set, a user can only do a change when he has the "User-Change-Password" control access right.
- If there are more change and sets operations mixed up: I will break in the "password_hash" module if the sequence isn't valid (so you don't have to test if multiple operations are valid or not). But just break on invalid permissions.
Comment 2 Nadezhda Ivanova 2010-07-04 16:31:19 UTC
Access checks implemented ad passing.