[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4276) Password policy history and complexity ignored with exop pwd change

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4276) Password policy history and complexity ignored with exop pwd change
From: ando@sys-net.it
Date: Thu, 29 Dec 2005 15:14:42 GMT

On Tue, 2005-12-20 at 23:38 +0000, jboden508@yahoo.com wrote:
> Full_Name: Jim Boden
> Version: 2.3.13
> OS: Solaris
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (198.241.217.15)
> 
> 
> I tested this using PADL on Solaris 10 x86. The PADL pam_ldap was linked against
> the openldap 2.3.13 libldap.so. Only some of the ppolicy works fine when using
> exop. I got this back from Howard when asking about it:
> 
> 
> No, the exop only accepts passwords in plaintext and then generates the hash
> later. As such, quality checking can always be performed when using the exop.

but the password is stored in the DSA using the hashing indicated by the
password-hash option (slapd.conf(5), defaulting to "{SSHA}").

> 
> 
> So I'm assuming this to mean that exop should fully follow the default ppolicy.
> It does not in the following areas:
> 
> pwdHistory - I configured for 6, yet my user entry grows forever and lets me
> re-use passwords. I tested with password-hash of {MD5}.
> 
> complexity - Min length seems to work, but the complexity (letters/numbers) is
> not followed.
> 
> 
> I then changed the PADL to NOT use exop, but rather send pwds in the clear. The
> first time I changed a password with this new config, the pwdHistory for my test
> user went back to saving only 6 (like it should) and the complexity started
> being followed.
> 
> I suppose this could be blamed on PADL pam_ldap but I did link it with OpenLDAP
> libldap.so for 2.3.13 so I figured it might be an OpenLDAP issue.
> 
> I'm using a work-around of passwords in the clear, over SSL, and using the
> password-hash entry in slapd.conf.

You need to set

password-hash "{CLEARTEXT}"

to have the password stored in cleartext for the purpose of saving the
history.  I couldn't observe any excessive growth of history beyond the
enforced limit.  Also, note that when writing the password as the
rootdn, no checking occurs, so I suspect you configured your PAM LDAP
tools to use the rootdn as admin identity.  This might need to be
clarified in the slapo-ppolicy(5) man page.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Prev by Date: (ITS#4289) probably component matching filter issue
Next by Date: (ITS#4291) slapi pluginlog fix for 2.3
Index(es):
- Chronological
- Thread