[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Best multi-password password changing setup

Buchan Milne wrote:
(This email has been sitting in my drafts folder for a week ... if it seems
incomplete, it was because I didn't want to wait till next week Tuesday when
I am finally back in the office).

I'm trying to complete a system which allows authentication by a number of
means, for example:

-Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against
sambaNTPassword attribute in OpenLDAP
-Samba domain
-Kerberos with keys stored in OpenLDAP
-Some hardware devices which read userPassword and compare the hash

At the same time, I would like password policies applied, including:
-Password expiry by default (but exempt some accounts from password expiry)
-Password history checking
-Password strength rules (at minimum length, preferably enforce variation of
character types)

It seems that Heimdal currently doesn't have password history support, and the
password expiry available is quite limited (e.g. global via
[kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange

MIT has password history support, and support for multiple password expiry
policies, but password history is not available with the LDAP backend (and I
don't see mention of whether the password policies can be stored in LDAP

Password changes via Heimdal will:
-Change the password in the krb5key attributes
-Change the password in sambaNTPassword
-update krb5PasswordEnd
-update sambaPwdMustChange (but not sambaPwdLastSet)
-not change the password in userPassword
-not update pwdChangedTime
-not update passwords in pwdHistory

Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will:
-Change the password in the krb5Key attributes
-Change the password in the userPassword attribute
-Change the password in the sambaNTPassword and sambaLMPassword attributes
-update pwdChangedTime
-update sambaPwdLastSet (but not sambaPwdMustChange)
-update passwords in pwdHistory
-Not update krb5PasswordEnd

I would prefer not to rely on password changing via samba, since most users
don't really know anything about samba (so, I'll probably have samba setup
for 'ldap passwd sync = only'

So, are there any solutions to this problem ? Or, will one of ppolicy or
smbk5pwd need to be updated to take the other into account.

It's a simple matter to update smbk5pwd. Nobody has asked until now, and you could easily do it yourself. I don't think ppolicy has any business doing that other stuff.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/