[Ltb-users] prevent rapid password changes

Clément OUDOT clement.oudot at savoirfairelinux.com
Thu Aug 31 18:37:36 CEST 2017

Le 31/08/2017 à 14:19, Taylor Hammerling a écrit :
> Clement - I sincerely appreciate your help on this!  Unfortunately if 
> SSP gives a generic "Password was refused by the LDAP directory" if 
> any of the LDAP restrictions are triggered I'm not going to be able to 
> use LDAP password restrictions.  My end users absolutely need specific 
> error messages, or they get REALLY ornery :D  I'm guessing that LDAP 
> doesn't provide SSP with any more information other than "REFUSED!".

SSP is coded with PHP, and PHP LDAP library still not has support for 
LDAP control policy. Anyway, I'm not sure Samba4 respect the password 
policy draft either.

For the moment you can configure some restrictions in SSP configuration 
so that if SSP accept the password, then it is strng enough to be 
accepted by the LDAP directory.

> What I'm going to do is set up a GPO to prevent users from changing 
> their passwords thru windows.  Then I'm going to turn off the LDAP 
> password restrictions entirely.  Then I'm going to add a bit into the 
> SSP code that will track how frequently each user has changed their 
> password and throw an error if they have changed their password within 
> the last X days.
> This way the end user knows exactly why their password change failed, 
> and I could even provide them with the date they can change their 
> password again in the error msg.

You will need to patch SSP code to do that, and see how to get that 
information from Samba 4 directory.

Note that a 1.1 will be soon released with a lot of fixes and 

Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

More information about the ltb-users mailing list