Description Arvid Requate 2014-09-03 13:00:03 CEST

The configuration of a set of domain password policies which consistently apply to Kerberos, LDAP and Samba authentication currently requires careful administration by the administrator and has been a source of intransparent failures ending up as support cases in the past. With the introduction of additional policy options (Bug 31907) the demand for a unified point of administration may grow.

We are talking about domain password policies here, which provide the default for the whole domain. They may be comlemented by user/group/subtree-scope specific policies (UDM and/or GPO), but we are not taking about those here. Both concepts co-exist.


Currently the domain password policies are implemented by a two-component (Samba+UDM) mixture configured via

1. the samba-domain-object (synchronized to the Samba4 LDAP base settings).
2. a set of individual UDM policies possibly linked to the domain root (applied via UDM to aspects of LDAP, Posix and Kerberos authentication).


My vision for this would be to implement a superordinate "UCS domain password policy" (object), which is monitored by the other services (e.g. via listener) to translate the UCS domain password policy into their specific policy concepts. I.e.

1. the settings on the samba-domain-object are derived from the new "UCS domain password policy"

2. the UDM users/user module checks the new "UCS domain password policy" before applying the classing UDM policies.

3. Things like the LDAP-specific ppolicy (Bug 31907), or possibly Kerberos specific policy configuration settings are derived as well (e.g. by package supplied listeners).

I think we need to define a common base-line for this, which the other services try to follow as closely as they can.