Thomas Klettke wrote:>
> My setup:
> -RH7.2 on a 2.4.17 kernel with acl support
> -samba 2.2.3a, using LDAP (with smbldap-tools), functions as PDC
>
> Question:
> Before using smbldap-passwd.pl, (meaning: using "passwd") Linux
would not
> allow "trivial" passwords (blank, too short, dictionary words,
etc.). As I
> understand, one of the tools that enables this is cracklib.
> With LDAP in place, I would like to have the same level of security, e.g.
> preventing my users from using the trivial password that many people love
> soo much.
> Has anyone found a solution to combine ldappasswd, or smbldap-passwd.pl
with
> the security of cracklib?
I do this by having my user's change their passwords via PAM and
pam_winbind (I use HEAD for this, where I cleaned up pam_winbind *a
lot*). I currently don't advertise (or restrict) windows based password
changes - I intend to do this by adding cracklib support to Samba. (not
as hard as it sounds).
You could do this by setting 'unix password sync' (smb.conf option) and
setting 'passwd program' to point to a script that calls cracklib
itself. Samba won't change a password without the unix sync occouring
first.
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net