RE: Expired password allowed in via pwdGraceAuthNLimit w/o warning to user

["Licause, Al" <licause@hp.com>]

Ok....good progress...and thanks again for the data.

-----Original Message-----
From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] 
Sent: Friday, July 09, 2010 12:27 PM
To: Licause, Al
Cc: Chris Jacobs; openldap-technical@openldap.org
Subject: Re: Expired password allowed in via pwdGraceAuthNLimit w/o warning to user

On Friday, 9 July 2010 15:00:27 Licause, Al wrote:
> Chris,
> 
> Again thanks so much for the response.
> 
> What I don't understand is which component is responsible for requesting
>  the password expiration information ?

>>In your specific case, pam_ldap.

Excellent !

>  It must all of pwdGraceAuthNLimit,
>  pwdMaxAge and pwdChangedTime in order to calculate the information needed
>  to determine which warning to display and when to display it.

>>This calculation is done on the server side, and passed back to the client in 
>>controls attached to the bind response, if the bind had the appropriate 
>>controls attached to it.

Good to know.....so only the final calculated data is sent to the client
if requested.    Not sure I'm seeing the correct request then when using tcpdump
or looking at slapd logging.    I suspect we have some old components which are
going to require upgrades.


> It had been suggested that we test with   ldapwhoami -e ppolicy.
> This wasn't something that was obvious to me as the man page for ldapwhoami
>  doesn't show a -e option.

>>See --help ...

Didn't think to use --help.....now I see it.

>>(This may be a bug, but the version you have is quite outdated ... so if it is 
>>still not documented in the ldapwhoami man page in 2.4.23, you should consider 
>>filing an ITS).

Yes...unfortunately.   I'm hoping to try out RHES V6 soon to see if they have
include later versions of all ldap components.     RHES V5.5 still doesn't have
what we need.

> Or perhaps this is an extension of the ldapsearch or similar commands to
>  include extended parameters.....again something not obvious unless you are
>  familiar with the code.
> 
> In any case, when used with -x (since I am not using sasl)

>>Password policy is (AFAIK) currently only applicable to simple binds. (It may 
>>be possible to support it for other methods, if the SASL mech supports it).

No problem.....but good to know.

> and -D
>  uid=ldapuser,dc=....-W, only then do I see the warnings down to the second
>  that the password will expire and if it has expired and pwdGraceAuthNLimit
>  is greater than 0, do I see the grace period warning, when testing with
>  ssh.

Please provide the exact message you see with ssh ...

# ssh -l ldap1 ldap1
ldap1@ldap1's password:
Your LDAP password will expire in 1 day.
Last login: Fri Jul  9 11:04:11 2010 from ldap1.osn.cxo.cpqcorp.net

This is displayed if the time to expiration is greater than a 24 hour period
which is good....but not displayed if less than that.....which I believe someone
said is a known issue in this version.

If the password has already expired, we get no messages and no warnings about
grace periods:

# ssh -l ldap1 ldap1
ldap1@ldap1's password:
Last login: Fri Jul  9 11:14:16 2010 from ldap1.osn.cxo.cpqcorp.net
  
[ldap1@ldap1 ~]$ ldapwhoami -x -D uid=ldap1,dc=osn,dc=cxo,dc=cpqcorp,dc=net -e ppolicy -W
Enter LDAP Password:
ldap_bind: Success (0) (Password expired, 4 grace logins remain)
dn:uid=ldap1,dc=osn,dc=cxo,dc=cpqcorp,dc=net
Result: Success (0)

I had expiration set down low for testing and then pwdGraceAuthNLimit set to 5 so
that we could hopefully see the expired grace warnings.

> A strings on ldapwhoami shows these warnings coming from ldapwhoami itself.

>>The interpretation from control values to actual string representations must 
>>be done by the application.

I have a feeling that the version of sshd may also be old enough that it
is not doing this work....

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

If the grace period warning is also supposed to come from pam_ldap.so, then
again, ours is probably old and needs to be upgraded:

# strings pam_ldap.so | grep -i grace
 
# strings pam_ldap.so | grep -i expire
shadowExpire
Password Expired
Your LDAP password will expire in %ld day%s.


Thanks for including a good example of system-auth.  I adding only one line
that differed to ours and ignored any references to Kerberos libraries and
still no warnings.

I also modified the nsswitch.conf to make sure that shadow accounts were
only handled by the local facilities.

Again thanks for the help.

I think I'll investigate to see if newer versions of ldap components have
been included in a later version of the OS distributions we support.

Al