OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/6550
Full headers

From: online@mark.ziesemer.com
Subject: Patch for smbk5pwd slapd overlay to include shadowLastChange
Compose comment
Download message
State:
0 replies:
9 followups: 1 2 3 4 5 6 7 8 9

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 14 May 2010 02:37:09 +0000
From: online@mark.ziesemer.com
To: openldap-its@OpenLDAP.org
Subject: Patch for smbk5pwd slapd overlay to include shadowLastChange
Full_Name: Mark A. Ziesemer
Version: 2.4.21 / HEAD
OS: Ubuntu Linux
URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch
Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)


Using the PasswordModify Extended Operation (exop) along with the smbk5pwd slapd
overlay provides several benefits, but does not currently include the
shadowLastChange attribute of the shadowAccount class.  This means the
shadowLastChange is missed from update, unless specially done along with a
PasswordModify.

This patch adds support for updating shadowLastChange into the smbk5pwd overlay
for slapd.

An added benefit is that once the updated overlay is in effect, write access to
the shadowLastChange attribute can optionally be restricted by configuration,
preventing users from updating shadowLastChange without actually updating their
password.

The SHA-1 hash of the provided patch (smbk5pwd-shadow-b.patch) is
c29ff518ea4fe03a4c5ee87d07a3af0082256950 .  (Please discard
"smbk5pwd-shadow.patch".)

Patch was generated against HEAD just now, but also applies cleanly to 2.4.21.

I am currently using the patched overlay in my current environment without
noticeable issue.  However, C is not current primary language, so please give
appropriate attention to review.

This patch file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch were developed by Mark A.
Ziesemer <online@mark.ziesemer.com>. I have not assigned rights and/or
interest
in this work to any party. 

I, Mark A. Ziesemer, hereby place the following modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.

Followup 1

Download message
Date: Fri, 14 May 2010 12:35:39 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: online@mark.ziesemer.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include	shadowLastChange
online@mark.ziesemer.com wrote:
> Full_Name: Mark A. Ziesemer
> Version: 2.4.21 / HEAD
> OS: Ubuntu Linux
> URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch
> Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
> 
> Using the PasswordModify Extended Operation (exop) along with the smbk5pwd
slapd
> overlay provides several benefits, but does not currently include the
> shadowLastChange attribute of the shadowAccount class.  This means the
> shadowLastChange is missed from update, unless specially done along with a
> PasswordModify.

While I agree that this could be useful in general I'd rather argue that for
Samba 3 'sambaPwdLastSet' should be set.

'shadowLastChange' is rather a POSIX account attribute which from my
understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be
extended...

Ciao, Michael.



Followup 2

Download message
Date: Fri, 14 May 2010 13:25:16 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
michael@stroeder.com wrote:
> I'd rather argue that for
> Samba 3 'sambaPwdLastSet' should be set.

Uumpf! This is already set. Sorry for the noise.

> 'shadowLastChange' is rather a POSIX account attribute which from my
> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be
> extended...

But still it's the question whether we want to have this functionality for
various password-related attribute all in on overlay or whether there should
be distinct overlays for each account type (posixAccount/shadowAccount,
sambaSAMAccount, Kerberos user).

Personally I'd like to see this overlay moved from contrib/ into the standard
build. But for Kerberos-related attributes the build and schema dependencies
are an obstacle. => separate overlays at least for KDC/LDAP and
Samba-Posix/LDAP.

Ciao, Michael.



Followup 3

Download message
Date: Fri, 14 May 2010 06:00:53 -0700
From: Howard Chu <hyc@symas.com>
To: michael@stroeder.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include	shadowLastChange
michael@stroeder.com wrote:
> michael@stroeder.com wrote:
>> I'd rather argue that for
>> Samba 3 'sambaPwdLastSet' should be set.
>
> Uumpf! This is already set. Sorry for the noise.
>
>> 'shadowLastChange' is rather a POSIX account attribute which from my
>> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could
be
>> extended...
>
> But still it's the question whether we want to have this functionality for
> various password-related attribute all in on overlay or whether there
should
> be distinct overlays for each account type (posixAccount/shadowAccount,
> sambaSAMAccount, Kerberos user).

shadowAccount is deprecated. LDAP ppolicy already provides a pwdChangedTime 
attribute.

> Personally I'd like to see this overlay moved from contrib/ into the
standard
> build. But for Kerberos-related attributes the build and schema
dependencies
> are an obstacle. =>  separate overlays at least for KDC/LDAP and
Samba-Posix/LDAP.

Ultimately both Kerberos and Samba will just be using LDAP ppolicy. But yes, 
the build dependencies are still annoying.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 4

Download message
Date: Fri, 14 May 2010 08:29:24 -0500
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include 
	shadowLastChange
From: "Mark A. Ziesemer" <online@mark.ziesemer.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Cc: openldap-its@openldap.org
--00504501586f17398e04868dddb7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

2010/5/14 Michael Str=F6der <michael@stroeder.com>

> online@mark.ziesemer.com wrote:
> > Full_Name: Mark A. Ziesemer
> > Version: 2.4.21 / HEAD
> > OS: Ubuntu Linux
> > URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch
> > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
> >
> > Using the PasswordModify Extended Operation (exop) along with the
> smbk5pwd slapd
> > overlay provides several benefits, but does not currently include the
> > shadowLastChange attribute of the shadowAccount class.  This means the
> > shadowLastChange is missed from update, unless specially done along
wit=
h
> a
> > PasswordModify.
>
> While I agree that this could be useful in general I'd rather argue that
> for
> Samba 3 'sambaPwdLastSet' should be set.
>

sambaPwdLastSet is already handled by the "samba" portion of this overlay.

'shadowLastChange' is rather a POSIX account attribute which from my
> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could b=
e
> extended...
>

I guess I wouldn't have any objections if all the references to "shadow"
were renamed to "posix".  However, the shadowLastChange attribute is part o=
f
the shadowAccount objectClass - with neither of these names referring to
POSIX.

I had considered a separate overlay.  However, in terms of purpose, shared
code, functionality, and performance, it seems to make the most sense to
include this addition into the smbk5pwd overlay.

Both pam_ldap and the Samba client support use of exop password changes.
Additionally, pam_ldap doesn't appear to support hashing to SSHA (only MD5,
which is also the default) - so setting to "exop" also allows for a stronge=
r
hash of the password to be stored.

With the unpatched overlay, doing an exop password change updates
userPassword (used by POSIX), as well as all the Samba attributes:
sambaLMPassword, sambaNTPassword, and sambaPwdLastSet .  This allows Samba
clients to use the updated password as well as seeing when the password was
last set, but POSIX clients do not see an updated shadowLastChange.  This
patch adds support for the otherwise missing shadowLastChange, keeping
everything consistent.

There are many issues posted online with all the password attributes except
shadowLastChange getting updated.  This patch should provide a solution for
many of these cases.


> Ciao, Michael.
>

--
Mark A. Ziesemer
www.ziesemer.com

--00504501586f17398e04868dddb7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div class=3D"gmail_quote">2010/5/14 Michael Str=F6der <span
dir=3D"ltr">&l=
t;<a href=3D"mailto:michael@stroeder.com">michael@stroeder.com</a>&gt;</spa=
n><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt
0.8ex;=
 border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<a href=3D"mailto:online@mark.ziesemer.com">online@mark.ziesemer.com</a>
wr=
ote:<br>
&gt; Full_Name: Mark A. Ziesemer<br>
&gt; Version: 2.4.21 / HEAD<br>
&gt; OS: Ubuntu Linux<br>
&gt; URL: <a href=3D"ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc=
h" target=3D"_blank">ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc=
h</a><br>
&gt; Submission from: (NULL)
(2001:470:1f11:3ae:dc54:73ba:be16:148)<br>
&gt;<br>
&gt; Using the PasswordModify Extended Operation (exop) along with the smbk=
5pwd slapd<br>
&gt; overlay provides several benefits, but does not currently include
the<=
br>
&gt; shadowLastChange attribute of the shadowAccount class. =A0This means t=
he<br>
&gt; shadowLastChange is missed from update, unless specially done along wi=
th a<br>
&gt; PasswordModify.<br>
<br>
While I agree that this could be useful in general I&#39;d rather argue tha=
t for<br>
Samba 3 &#39;sambaPwdLastSet&#39; should be
set.<br></blockquote><div><br>s=
ambaPwdLastSet is already handled by the &quot;samba&quot; portion of
this =
overlay. <br><br></div><blockquote class=3D"gmail_quote"
style=3D"margin: 0=
pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: =
1ex;">

&#39;shadowLastChange&#39; is rather a POSIX account attribute which
from m=
y<br>
understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be<=
br>
extended...<br></blockquote><div><br>I guess I
wouldn&#39;t have any object=
ions if all the references to &quot;shadow&quot; were renamed to
&quot;posi=
x&quot;.=A0 However, the shadowLastChange attribute is part of the shadowAc=
count objectClass - with neit

Message of length 6698 truncated


Followup 5

Download message
Date: Fri, 14 May 2010 16:03:45 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: "Mark A. Ziesemer" <online@mark.ziesemer.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include 	shadowLastChange
Mark A. Ziesemer wrote:
> 2010/5/14 Michael Str.der <michael@stroeder.com
> <mailto:michael@stroeder.com>>
> 'shadowLastChange' is rather a POSIX account attribute which from my 
> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be 
> extended...
> 
> I guess I wouldn't have any objections if all the references to "shadow"
> were renamed to "posix".  However, the shadowLastChange attribute is
> part of the shadowAccount objectClass - with neither of these names
> referring to POSIX.

I didn't consider to change the name of the attribute. With POSIX account data
I rather wanted to point to RFC 2307 where posixAccount and shadowAccount
object classes and the accompanying attributes are defined.

Don't get me wrong. I support the idea of setting shadowLastChange even if
Howard considers it to be deprecated. And I have no objections to a
one-sets-all-of-these overlay.

But I'd even like to see this overlay available as standard feature. Since in
the current state it has build dependencies to Kerberos libs this is not easy.
Only building the Samba support is possible and needs some tweaking of the
Makefile.

> There are many issues posted online with all the password attributes
> except shadowLastChange getting updated.  This patch should provide a
> solution for many of these cases.

Yupp. I already thought these problems long ago when implementing the
different password change use-cases in web2ldap.

Ciao, Michael.



Followup 6

Download message
Date: Fri, 14 May 2010 16:06:07 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: Howard Chu <hyc@symas.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include	shadowLastChange
Howard Chu wrote:
> michael@stroeder.com wrote:
>> michael@stroeder.com wrote:
>>> I'd rather argue that for
>>> Samba 3 'sambaPwdLastSet' should be set.
>>
>> Uumpf! This is already set. Sorry for the noise.
>>
>>> 'shadowLastChange' is rather a POSIX account attribute which from
my
>>> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope
>>> could be
>>> extended...
>>
>> But still it's the question whether we want to have this functionality
>> for
>> various password-related attribute all in on overlay or whether there
>> should
>> be distinct overlays for each account type (posixAccount/shadowAccount,
>> sambaSAMAccount, Kerberos user).
> 
> shadowAccount is deprecated. LDAP ppolicy already provides a
> pwdChangedTime attribute.

While I agree that slapo-ppolicy is the better solution in the long run I see
no reason why to not set both attributes at the server's side to make older
LDAP clients happy.

> Ultimately both Kerberos and Samba will just be using LDAP ppolicy.

Yes. But there is indeed a real need for a solution in the meantime...

Ciao, Michael.



Followup 7

Download message
Date: Fri, 14 May 2010 07:34:44 -0700
From: Howard Chu <hyc@symas.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include	shadowLastChange
Michael Str.der wrote:
> Howard Chu wrote:
>> michael@stroeder.com wrote:
>>> michael@stroeder.com wrote:
>>>> I'd rather argue that for
>>>> Samba 3 'sambaPwdLastSet' should be set.
>>>
>>> Uumpf! This is already set. Sorry for the noise.
>>>
>>>> 'shadowLastChange' is rather a POSIX account attribute which
from my
>>>> understanding is out-of-scope for slapo-smbk5pwd. Well, the
scope
>>>> could be
>>>> extended...
>>>
>>> But still it's the question whether we want to have this
functionality
>>> for
>>> various password-related attribute all in on overlay or whether
there
>>> should
>>> be distinct overlays for each account type
(posixAccount/shadowAccount,
>>> sambaSAMAccount, Kerberos user).
>>
>> shadowAccount is deprecated. LDAP ppolicy already provides a
>> pwdChangedTime attribute.
>
> While I agree that slapo-ppolicy is the better solution in the long run I
see
> no reason why to not set both attributes at the server's side to make older
> LDAP clients happy.

This is not a realistic use case. smbk5pwd was written starting in 2004; 
pam_ldap started supporting LDAP password policy long before then. Anyone 
running LDAP clients (pam_ldap, nss_ldap) older than that has far worse 
problems to worry about.

>> Ultimately both Kerberos and Samba will just be using LDAP ppolicy.
>
> Yes. But there is indeed a real need for a solution in the meantime...

Yes, in the meantime both Heimdal and Samba use the smbPwdLastSet attribute 
which is already taken care of.

This ITS will be closed.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 8

Download message
Date: Sat, 15 May 2010 15:49:37 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: Howard Chu <hyc@symas.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include	shadowLastChange
Howard Chu wrote:
> Michael Str.der wrote:
>> While I agree that slapo-ppolicy is the better solution in the long run
I
>> see no reason why to not set both attributes at the server's side to
>> make older LDAP clients happy.
> 
> This is not a realistic use case. smbk5pwd was written starting in 2004;
> pam_ldap started supporting LDAP password policy long before then.

Yes, pam_ldap supports enforcing the password policy probably by correcty
handling the response controls. Grepping through the source of recent versions
it seems to me it does not read attribute pwdChangedTime nor does nss_ldap.

> Anyone running LDAP clients (pam_ldap, nss_ldap) older than that has far
> worse problems to worry about.

AFAICS nss_ldap cannot deliver the correct value for 'shadowLastChange' when
someone or something invokes a call like this

getent shadow michael

'pwdChangedTime' is of syntax Generalized Time whereas 'shadowLastChange' is
Integer with seconds since epoch. In theory nss_ldap could convert it. But
AFAICs it doesn't. Also if an older client would search for
(shadowLastChange<=<value>) this wouldn't work either.

> This ITS will be closed.

Well, you're the OpenLDAP boss and free to refuse anything you want. But
personally I don't understand your strong objections.

Ciao, Michael.



Followup 9

Download message
Date: Sat, 15 May 2010 11:19:47 -0700
From: Howard Chu <hyc@symas.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
CC: openldap-its@openldap.org
Subject: Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include	shadowLastChange
Michael Str.der wrote:
> Howard Chu wrote:
>> Michael Str.der wrote:
>>> While I agree that slapo-ppolicy is the better solution in the long
run I
>>> see no reason why to not set both attributes at the server's side
to
>>> make older LDAP clients happy.
>>
>> This is not a realistic use case. smbk5pwd was written starting in
2004;
>> pam_ldap started supporting LDAP password policy long before then.
>
> Yes, pam_ldap supports enforcing the password policy probably by correcty
> handling the response controls. Grepping through the source of recent
versions
> it seems to me it does not read attribute pwdChangedTime nor does nss_ldap.

Because clients don't need to read the value. Since password modification is 
all managed on the server, it's an irrelevant detail on the client.

>> Anyone running LDAP clients (pam_ldap, nss_ldap) older than that has
far
>> worse problems to worry about.
>
> AFAICS nss_ldap cannot deliver the correct value for 'shadowLastChange'
when
> someone or something invokes a call like this
>
> getent shadow michael

Nobody does that. Normal users don't even have read permission to do that.

> 'pwdChangedTime' is of syntax Generalized Time whereas 'shadowLastChange'
is
> Integer with seconds since epoch. In theory nss_ldap could convert it. But
> AFAICs it doesn't. Also if an older client would search for
> (shadowLastChange<=<value>) this wouldn't work either.

You've just proven the point why shadowLastChange is problematic. The encoded 
value is in *minutes* since the epoch. All of the shadow values were poorly 
defined to begin with (talking about /etc/shadow, not just RFC2307), 
inconsistent with common Unix practice, and most people don't understand them 
anyway. They have no role in an LDAP-enabled environment, all they do is 
perpetuate confusion.

>> This ITS will be closed.
>
> Well, you're the OpenLDAP boss and free to refuse anything you want. But
> personally I don't understand your strong objections.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org