Full_Name: Ondrej Kuznik Version: master OS: URL: https://github.com/mistotebe/openldap/tree/ppolicy10 Submission from: (NULL) (212.159.69.225) There have been a few iterations of the ppolicy behera draft and it would be useful to support (some) of the documented features. The following are coming: - pwdGraceExpiry - pwdMaxLength - pwdStartTime and pwdEndTime - pwdMinDelay and pwdMaxDelay (as a soft-lockout, contingent with other implementations based on an informal survey during latest LDAPCon) - pwdMaxIdle (and moving the relevant parts of lastbind overlay into slapd code as it is a shared dependency of a few things now) - the ability to store per-policy arguments to check_password() - updates/fixes to the draft that should have been identified before some of the above were proposed (mostly typos and ASN.1 schema updates)
Already in master.
Hello, Just for tracability, I have made some tests about this feature some time ago, when it was available only at https://github.com/mistotebe/openldap/tree/ppolicy10 I have basically tested these at 2020-01-20: - pwdMaxLength - pwdLastSuccess, pwdMaxIdle - pwdStartTime, pwdEndTime - basic integration with ppm (https://github.com/ltb-project/ppm) I am planning do test again on RE25 branch of OpenLDAP soon. David
Hello, I have made some new tests on OpenLDAP master branch. For information, I had to fix a typo before it compiles: the manpage of pbkdf2 overlay was not correctly written: in contrib/slapd-modules/passwd/pbkdf2/Makefile: ``` MANPAGES = slapd-pw-pbkdf2.5 ``` should be: ``` MANPAGES = slapo-pw-pbkdf2.5 ``` Here are the things I have basically tested: - pwdMaxLength: OK - pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3.11). For information, I have enabled lastbind. The slapo-ppolicy man page does not mention pwdLastSuccess by the way. - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, and if I read correctly the draft (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), an "accountLocked" extended error code should be triggered. - basic integration with ppm, and in particular the pwdCheckModuleArg (https://github.com/ltb-project/ppm): OK (but will need some adaptation of the check_password signature: https://github.com/ltb-project/ppm/issues/20) Regards, David
(In reply to David Coutadeur from comment #3) > For information, I had to fix a typo before it compiles: the manpage of > pbkdf2 overlay was not correctly written: > in contrib/slapd-modules/passwd/pbkdf2/Makefile: > ``` > MANPAGES = slapd-pw-pbkdf2.5 > ``` > should be: > ``` > MANPAGES = slapo-pw-pbkdf2.5 That's https://bugs.openldap.org/show_bug.cgi?id=8837
On Fri, Mar 27, 2020 at 05:02:02PM +0000, openldap-its@openldap.org wrote: > Hello, > > Here are the things I have basically tested: > > - pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the > pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see > https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3.11). > For information, I have enabled lastbind. The slapo-ppolicy man page does not > mention pwdLastSuccess by the way. Hi David, could you show a configuration when this happens? I cannot reproduce either issue on master. I will update the manpage to mention pwdLastSuccess is used. > - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, > and if I read correctly the draft > (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), > an "accountLocked" extended error code should be triggered. Again, can't seem to be able to reproduce that and test022-ppolicy passes for me.
*** Issue 6084 has been marked as a duplicate of this issue. ***
*** Issue 8935 has been marked as a duplicate of this issue. ***
(In reply to Ondřej Kuzník from comment #5) > > Hi David, > could you show a configuration when this happens? I cannot reproduce > either issue on master. > > I will update the manpage to mention pwdLastSuccess is used. > > > - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, > > and if I read correctly the draft > > (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), > > an "accountLocked" extended error code should be triggered. > > Again, can't seem to be able to reproduce that and test022-ppolicy > passes for me. Hi David, Can you provide the requested info? Thanks!
Hello, Thanks Ondřej for your answer to my test results. Here are some updates! > - pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the > pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see > https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3.11). > For information, I have enabled lastbind. The slapo-ppolicy man page does not > mention pwdLastSuccess by the way. I finally succeeded in making it work. Thanks for pointing test022-ppolicy, it was helpfull. The problem was that I was using old lastbind overlay, which in some way was in conflict with current lastbind. If I understand correctly, the current lastbind is now completely included into OpenLDAP 2.5? It is very important to me, because as a maintainer of OpenLDAP-LTB, we would have to warn people that the configuration parameters have changed (overlay lastbind -> lastbind on) and that the overlay won't be provided any more. > - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, > and if I read correctly the draft > (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), > an "accountLocked" extended error code should be triggered. I was simply missing the ppolicy_use_lockout parameter. One remark though: the reason of locking is not very explicit. I understand that many companies/organizations will consider it is a good thing to hide this information for security reasons. For the others, maybe could we have some sort of level? Configuration example: lockout_message_description [none|minimal|verbose] In the specification the extended error code could simply stay as it is: "(1)Account locked", but we could add a more precise description in case the verbose mode is enabled: "(1)Account locked (account unused for a too long time)" Regards, David
On Thu, Apr 09, 2020 at 02:41:54PM +0000, openldap-its@openldap.org wrote: > The problem was that I was using old lastbind overlay, which in some way was in > conflict with current lastbind. > If I understand correctly, the current lastbind is now completely included into > OpenLDAP 2.5? No, features you might want to configure lastbind with do not (yet) have an equivalent in the core implementation, so I haven't removed it from 2.5 yet. > It is very important to me, because as a maintainer of OpenLDAP-LTB, we would > have to warn people that the configuration parameters have changed (overlay > lastbind -> lastbind on) and that the overlay won't be provided any more. > > >> - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, >> and if I read correctly the draft >> (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), >> an "accountLocked" extended error code should be triggered. > > I was simply missing the ppolicy_use_lockout parameter. > One remark though: the reason of locking is not very explicit. > I understand that many companies/organizations will consider it is a good thing > to hide this information for security reasons. For the others, maybe could we > have some sort of level? > Configuration example: > lockout_message_description [none|minimal|verbose] The message is output by the client, the only information provided is the ppolicy response control: https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-6.2 (or rather https://git.openldap.org/openldap/openldap/-/blob/master/doc/drafts/draft-behera-ldap-password-policy-xx.xml#L1112) Providing any more information would need to be integrated into the draft as well. > In the specification the extended error code could simply stay as it is: > "(1)Account locked", but we could add a more precise description in case the > verbose mode is enabled: "(1)Account locked (account unused for a too long > time)"
Draft 10 adds another way of expiring passwords (pwdEndTime) but that is not included in expiry warning calculation. It might be worth clarifying whether it should or should not be taken into consideration. Neither is maxIdle but we don't really get a chance to exercise it as this is already done in a "non-idle" context.
• 4cd096de by Ondřej Kuzník at 2021-06-21T18:37:30+00:00 ITS#9156 Do not spam the logs on account of lastbind
Commits: • c4d399c2 by Quanah Gibson-Mount at 2021-08-26T15:43:24+00:00 ITS#9156 - Remove ppolicy.schema from README Also remove nadf.schema, that got removed some time long ago
*** Issue 9710 has been marked as a duplicate of this issue. ***
head: commit 4cd096defffc278f13edf9a194f4bc62095a947e Author: Ondřej Kuzník <ondra@mistotebe.net> Date: Mon Jun 7 15:52:25 2021 +0100 ITS#9156 Do not spam the logs on account of lastbind Re25: • 667ea288 by Ondřej Kuzník at 2021-09-30T16:02:34+00:00 ITS#9156 Do not spam the logs on account of lastbind