[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Ppolicy overlay password checking module
Hi !
A pair days ago I finished the same.
And it works ...
Slapd.conf :
.....
include /usr/local/etc/openldap/schema/ppolicy.schema
modulepath /usr/sbin/openldap
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=tm"
ppolicy_hash_cleartext
ppolicy_use_lockout
Ppolicy_example.ldif :
dn: ou=ppolicy, ou=users, ou=tm
ou: ppolicy
objectClass: organizationalUnit
dn: cn=std, ou=ppolicy, ou=users, ou=tm
pwdCheckModule: check_password.so
pwdMaxFailure: 6
pwdMustChange: TRUE
pwdAttribute: userPassword
pwdMinLength: 7
pwdSafeModify: FALSE
pwdInHistory: 4
pwdGraceAuthNLimit: 3
pwdCheckQuality: 1
objectClass: pwdPolicy
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
pwdLockoutDuration: 1800
cn: std
pwdAllowUserChange: TRUE
pwdExpireWarning: 2591900
pwdLockout: TRUE
pwdMaxAge: 2592000
And checking function :
......./openldap-2.3.32/servers/slapd/overlays/check_password.c :
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "portable.h"
#include "slap.h"
int init_module()
{
return 0;
}
int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry)
{
char pwqr=0;
char retmsg[255];
char *message;
pwqr = 0;
if (strstr( pPasswd, " ") != NULL)
{
pwqr = 1;
strcpy(retmsg , "1:Password contains SPACE ...");
goto paroles_rez;
}
//////////////////
..
// other controls
..
//////////////////
return 0;
paroles_rez:
/* Allocate */
message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1));
/* Copy the contents of the string. */
strcpy(message, retmsg);
*ppErrStr=message;
return pwqr;
}
......./openldap-2.3.32/servers/slapd/overlays/Makefile:
...
check_password:
gcc -fPIC -c -I../../../include -I.. check_password.c
gcc -shared -o check_password.so check_password.o
cp -f check_password.so /usr/sbin/openldap
.....
Only my returned error message slapd shows in log file and doesn't
forward to client.
Jan 30 09:05:39 KS-Test-1 slapd[11959]: check_password_quality: module
error: (check_password.so) 1:Password contains SPACE ....[1]
Jan 30 09:05:39 KS-Test-1 slapd[11959]: send_ldap_result: conn=4 op=5
p=3
Jan 30 09:05:39 KS-Test-1 slapd[11959]: send_ldap_result: err=19
matched="" text="Password fails quality checking policy"
Jan 30 09:05:39 KS-Test-1 slapd[11959]: send_ldap_response: msgid=6
tag=103 err=19
Jan 30 09:05:39 KS-Test-1 slapd[11959]: conn=4 op=5 RESULT tag=103
err=19 text=Password fails quality checking policy
Andris Eiduks
-----Original Message-----
From:
openldap-software-bounces+andris.eiduks=tietoenator.com@OpenLDAP.org
[mailto:openldap-software-bounces+andris.eiduks=tietoenator.com@OpenLDAP
.org] On Behalf Of Metcalf, Roger
Sent: Monday, January 29, 2007 5:51 PM
To: allmanj@cp.dias.ie
Cc: openldap-software@openldap.org
Subject: Ppolicy overlay password checking module
Hi John,
I didn't find a response to your query (pasted below). I'm about to try
cooking up something similar. Did you ever get help or find the magic
combination of ingredients to get pwdCheckModule working? If so, please
share the recipe!
Thanks,
Roger Metcalf
# # # # #
Hi all,
I don't know if this is the right list, but i'm hoping the author of the
overlay or somebody equally knowledgeable is on this list and will be
able to help me.
I'm attempting to use the password policy overlay with a custom password
strength checker. The docs say the following on the subject:
"pwdCheckModule This attribute names a user-defined loadable module that
must instantiate the check_password() function. This function will be
called to further check a new password if pwdCheckQuality is set to one
(1) or two (2), after all of the built-in password compliance checks
have been passed. This function will be called according to this
function prototype:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
...
Note: The user-defined loadable module named by pwdCheckModule must be
in slapd's standard executable search PATH. Note: pwdCheckModule is a
non-standard extension to the LDAP password policy proposal
Now, i'm a little unclear on how exactly to compile such a module or
where to place it so as to load it. "standard executable search PATH"
seems to imply it should go where binaries go (for example
/usr/local/bin) but i'm wondering if maybe it's the modulepath in the
slapd.conf. I've tried both so i'm assuming i'm not compiling it up
correctly
The following is my simple program using cracklib (untested but i
believe should work). The file is called ldap_cracklib.c
#include <portable.h>
#include <slap.h>
#include <packer.h>
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
int check_password( char *pPasswd, char **ppErrStr, Entry *pentry) {
char *ret;
ret = (char *) FascistCheck( pPasswd,
'/usr/local/libdata/cracklib/pw_dict' );
if (ret == NULL)
{
return 0;
}
*ppErrStr = ret;
return 1;
}
I've compiled it to an object file with gcc -c (and a whole bunch of
other arguments for includes, etc) and also to a library using libtool
(i took the makefile for smbk5pwd and modified it). I've then tried
modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so
respectively (after copying the relevant files to both /usr/local/bin
and our module path, /usr/local/libexec/openldap).
I'm using the following command to try and change my password:
ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D
"uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain"
It prompts me for my old password twice, once for my new and then says:
ldap_bind: Invalid credentials (49)
I can confirm that my (old) password is correct by using ldapwhoami.
So should i be making a library? Should i be making a basic compiled
object? Should i be making something else? Please bear in mind that i'm
an administrator not a programmer so i am a little ignorant.
I've tried boosting the ldap log level and looking for errors but i dont
see anything.
Any help would be greatly appreciated.
Thanks,
John