[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PAM authentication and PPolicy issues

To: Patrick Hemmer <openldap@stormcloud9.net>
Subject: Re: PAM authentication and PPolicy issues
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Wed, 20 Jun 2012 15:32:05 +0200
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=sUwwCLbjKEehfaCxbceMyu4TZAWdVPufaeKjjAbuxtE=; b=C8Jpg6/VrOIIDvSLGu/Y+xqLxgIfFjaAmJtW1vv9Xfc96HFv+DzHwMmeNdM88x379K JP000GK0Gi7UzdCUJ80gGxs2ZiP7eb/aM/44MATG2Nbea0aPiE+3x7LrQiobOKuCU188 jDTBh1sH0TnJHpK/ltQgWSxTLh6S3VIUkJNGjxGjMbe/hqwSi1JBDjJuYj4+jwmiiRqz XjuBrMOS59YF8S6kSdCCW0Ab73aI7kuZd68hH0gJ0KoQkFh/8vskPTLstYdyopAUcln5 2x9QmepEJLMgRif9cl8R1r7aBLEBS40GImdNy/7oyNmECLb/AxhLavb8KYTWTgh7E/KY qWLg==
In-reply-to: <4FE1CD61.2030006@stormcloud9.net>
References: <FC230C66F47C8543B026F265E1E91D5823703AA7@GEDASPW05.a.space.corp> <CAK_oV48aHMMvG9zY+VVJORm1=XG6k3X+x-Eom3X4DjOuO9E+1g@mail.gmail.com> <FC230C66F47C8543B026F265E1E91D5823703ADD@GEDASPW05.a.space.corp> <CAK_oV48y1RUyTPZuGojju8WZ-e4KhNGdjFKeVG00dbMO9mYz+A@mail.gmail.com> <4FE1CD61.2030006@stormcloud9.net>

2012/6/20 Patrick Hemmer <openldap@stormcloud9.net>:
>
>
> Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT)
> From: Clément OUDOT <clem.oudot@gmail.com>
> To: Francesco Belli <Francesco.Belli@vegaspace.com>
> openldap-technical@openldap.org
>
> Subject: Re: PAM authentication and PPolicy issues
>
> 2012/6/20 Francesco Belli <Francesco.Belli@vegaspace.com>:
>
> Hi Clement,
> I already used pam_password directive, I set it to cleartext, but this
> parameter is used for password change and not for authentication. As man
> pam_ldap says "Specifies the password change protocol to use", so not the
> authentication method. Now my situation is that I have some users in the
> LDAP server that they have a SHA hash in the userPassword field, and they
> are correctly authenticated, others that have a clear text password and
> cannot be authenticated via PAM.
>
> Password scheme used in LDAP directory do not prevent any application
> to authenticate to LDAP. Dig into logs to see what is the real reason
> of your problem.
>
> Clément.
>
> In addition, it is not true that the password must be stored in cleartext
> for pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext
> is bad.

They can be stored hashed, but they must be sent as clear text in the
modification operation so that OpenLDAP can check the quality (min
size for example). The ppolicy overlay is then able to hash them when
storing accepted password in database.

Clément.

References:
- PAM authentication and PPolicy issues
  - From: Francesco Belli <Francesco.Belli@vegaspace.com>
- Re: PAM authentication and PPolicy issues
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: PAM authentication and PPolicy issues
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: PAM authentication and PPolicy issues
  - From: Patrick Hemmer <openldap@stormcloud9.net>

Prev by Date: Re: Sun(oracle) directory server to openldap
Next by Date: RE: PAM authentication and PPolicy issues
Index(es):
- Chronological
- Thread